Section 6 defines key terms including agency, APP entity, organisation under section 6C, small business operator under section 6D, personal information, sensitive information, health information under section 6FA, health service under section 6FB, interference with the privacy of an individual under sections 13 to 13F, credit provider under sections 6G to 6K, credit information, credit reporting information, credit eligibility information, default information under section 6Q, repayment history information under section 6V, financial hardship information under section 6QA, eligible data breach under section 26WE, Australian link under section 5B, and responsible person under section 6AA. Breaches of Australian Privacy Principles are defined in section 6A, registered APP codes in section 6B and the registered CR code in section 6BA. Permitted general situations are listed in section 16A and permitted health situations in section 16B. Retention periods for credit information are set out in tables in sections 20W and 20X. Serious harm assessment factors are listed in section 26WG. Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable, whether true or not and whether recorded in material form or not (section 6(1)). Sensitive information includes racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, health information, genetic information, biometric information for automated verification or identification, and biometric templates (section 6(1)). Health information includes information or an opinion about an individual’s health, expressed wishes about future health services, a health service provided or to be provided, other personal information collected to provide a health service, information collected in connection with donation of body parts, and genetic information predictive of health (section 6FA). Credit information comprises identification information, consumer credit liability information, repayment history information, financial hardship information, information requests, default information, payment information, new arrangement information, court proceedings information, personal insolvency information, publicly available information relating to credit worthiness, and opinions on serious credit infringements (section 6N). An eligible data breach occurs where there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity and a reasonable person would conclude it is likely to result in serious harm to any individual to whom the information relates (section 26WE(2)), with regard to the kind or kinds of information, its sensitivity, security measures, persons who have or could obtain it, likelihood of circumvention, and nature of the harm (section 26WG). An APP entity is an agency or organisation (section 6(1)). A small business operator carries on one or more small businesses with annual turnover of $3,000,000 or less in the previous financial year, subject to exclusions including health service providers holding health information outside employee records (section 6D(1)-(4)). Related bodies corporate may collect and disclose personal information (other than sensitive information) between themselves without constituting an interference with privacy, subject to conditions (section 13B). Permitted general situations and permitted health situations allow collection, use or disclosure in specified circumstances including serious threats to life, health or safety, unlawful activity, locating missing persons, legal claims, alternative dispute resolution, diplomatic functions, research, provision of health services, and disclosure to responsible persons (sections 16A, 16B). Retention periods for credit information are prescribed, including 2 years for consumer credit liability information after termination, 5 years for default information and court proceedings information, and 7 years for serious credit infringement opinions (section 20W). "De-identified" means personal information is no longer about an identifiable or reasonably identifiable individual (section 6(1)). "Holds" means an entity has possession or control of a record containing the information (section 6(1)). "Collects" applies only if for inclusion in a record or generally available publication (section 6(1)). "Record" includes documents or electronic or other devices but excludes generally available publications, library/art gallery/museum reference items, Commonwealth records in open access period (Archives Act 1983), certain National Archives arrangements, Australian War Memorial memorial collection items, and postal articles in transmission (section 6(1)). "Generally available publication" means magazines, books, articles, newspapers or other publications generally available to the public (print, electronic or other; fee or not) (section 6(1)). "Interference with the privacy of an individual" includes an APP entity act or practice breaching an Australian Privacy Principle or registered APP code (section 13(1)); an entity act or practice breaching Part IIIA or registered CR code (section 13(2)); a contracted service provider act or practice relating to personal information inconsistent with a Commonwealth contract provision (section 13(3)); a file number recipient breach of section 17 rules or unauthorised tax file number request (section 13(4)); contravention of sections 26WH(2), 26WK(2), 26WL(3) or 26WR(10) (section 13(4A)); and breaches of Data-matching Program (Assistance and Tax) Act 1990 Part 2 or section 12 rules or National Health Act 1953 section 135AA rules (section 13(5)). Collection or disclosure of non-sensitive personal information between related bodies corporate is not an interference, subject to exceptions in section 13B(1A) (section 13B(1)). Disclosure by an old partnership and collection by a new partnership (same or similar business, overlapping partners) of necessary personal information is not an interference (section 13C(1)). An overseas act or practice required by foreign law is not an interference (section 13D(1)). "Serious interference" attracts civil penalties (section 13G). "Credit provider" includes banks, organisations or small business operators where a substantial part of business is credit provision or retail credit card issuers, prescribed agencies/organisations/operators, suppliers/lessors with deferred repayment or credit of 7 days or more (not deposit-based), agents performing necessary tasks for credit application or management, securitisation entities performing necessary tasks, and acquirers of repayment rights (sections 6G(1)-(4), 6H(1), 6J(1), 6K(1)); exclusions apply while acting as real estate agent, general insurer (Insurance Act 1973) or employer, and for prescribed classes (section 6G(5)-(6)). "Credit reporting body" collects, holds, uses or discloses personal information for credit worthiness information (section 6P). "Credit eligibility information" means credit reporting information or CP derived information (section 6(1)). "Affected information recipient" includes mortgage insurers, trade insurers, related bodies corporate, credit managers and advisers (sections 22C-22F). "Permitted general situation" covers collection, use or disclosure without consent for serious threats to life, health or safety, unlawful activity or misconduct, locating missing persons (per Commissioner rules), legal or equitable claims, confidential ADR, diplomatic or consular functions (agencies), or Defence Force operations outside Australia or external Territories (section 16A table). "Permitted health situation" covers collection of health information necessary for health service provision, family or social or medical history, research or statistics or management or funding or monitoring (with de-identification or consent impracticable and per law or guidelines), use or disclosure for research or to genetic relatives for serious threat (per guidelines), and disclosure to responsible persons for care or compassion (section 16B). "Government related identifier" means an identifier assigned by an agency, State or Territory authority, their agents or contracted service providers (section 6(1)). "Responsible person" includes parent, adult child or sibling, spouse or de facto partner, adult household relative, guardian, enduring power of attorney holder (health decisions), intimate personal relationship person, or emergency contact nominee (section 6AA). "Enforcement body" includes Australian Federal Police, National Anti-Corruption Commissioner or Inspector, ACC, Sport Integrity Australia, Immigration Department, APRA, ASIC, DPP or similar bodies, agencies administering penalty or sanction or public revenue laws, State or Territory police, and prescribed State or Territory criminal investigation bodies (section 6(1)). "Enforcement related activity" covers prevention, detection, investigation, prosecution or punishment of offences or breaches; surveillance, intelligence or monitoring; protective or custodial activities; proceeds of crime confiscation; public revenue protection; serious misconduct remedying; and court or tribunal proceedings or orders implementation (section 6(1)). "File number recipient" means a person in possession or control of a tax file number information record; employer, agency or AFP in employment contexts; or unincorporated body assisting an agency (section 6(1), section 11). "Tax file number information" means information recording a person's tax file number connected to identity (lawful or unlawful; recorded or not) (section 6(1)). "Consent" means express or implied consent (section 6(1)). "Australian law" means Acts, regulations or instruments of the Commonwealth, State or Territory, Jervis Bay or external Territory laws, or common law or equity (section 6(1)). "Australian link" has the meaning in section 5B(2)-(3) (section 6(1)). "Overseas recipient" has the meaning in APP 8.1 (section 6(1)). "National emergency declaration" has the meaning in the National Emergency Declaration Act 2020 (section 6(1)). "Civil penalty provision" has the meaning in the Regulatory Powers Act (section 6(1)). "Regulatory Powers Act" means the Regulatory Powers (Standard Provisions) Act 2014 (section 6(1)). Section 6V defines repayment history information, adjusted for financial hardship arrangements under section 6V(1A)-(1B) and section 6QA. Section 6QA defines financial hardship information arising from permanent variations or temporary relief arrangements. Section 16B sets out permitted health situations for collection, use or disclosure of health information. Section 13 defines interference with privacy, including breaches of APPs, registered APP codes, Part IIIA or the registered CR code, with serious interferences under section 13G and general interferences under section 13H. Section 26WE defines eligible data breach as unauthorised access, disclosure or loss of personal information held by an APP entity, credit reporting body, credit provider or file number recipient, and a reasonable person would conclude it is likely to result in serious harm (section 26WE). Remedial action before serious harm occurs prevents the breach from being eligible (section 26WF). Retention periods for credit information are set out in the table in section 20W for credit information and in section 20X for personal insolvency information. Permitted general situations are listed in section 16A. Acts and practices are attributed under section 8, with exempt acts and practices in sections 7B-7C.