The right to access the personal information held by the APP entity about that individual is covered by APP 12.1. whether the information or opinion is recorded in a material form or not. In addition, each electronic message (which the recipient has consented to receive) must identify the sender and contain a functional unsubscribe facility to enable the recipient to opt out of receiving future electronic marketing. App developers must also ensure that the collection of customers' personal information complies with the Privacy Act and the Privacy Commissioner has released detailed guidance on this. Organizations must not use or disclose personal information about an individual unless one or more of the following applies: In the case of use and disclosure for the purpose of direct marketing, organizations are required to ensure that: The above direct marketing requirements apply to all forms of direct marketing. State Government agencies) dealing with TFNs are covered by: Processing exempted from the Privacy Act/APPs includes purely personal/domestic processing of personal information (i.e. Issue a "technical assistance notice", which requires a communications provider to give assistance that is reasonable, proportionate, practicable and technically feasible, Issue a "technical capability notice", which requires a communications provider to build new capabilities to assist the agency. Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies. Further information regarding the APPs are set out on the Australian Government website www.oaic.gov.au. While APP 1 requires an APP entity to take such steps as are reasonable in the circumstances to implement practices, procedures, and systems relating to the entity's functions and activities that ensures compliance with the APPs (APP 1.2), the concept of 'data processing records' (or records of processing activities/RoPA) is not common under Australian privacy law. no matter how many people were affected) as had been previously expected. almost irrespective of the number of individuals impacted).
Specifically, the are no specific legal requirements regarding the use of cookies (or any similar technologies). It is required or authorized by law or on behalf of an enforcement agency.
A draft bill has been published which would increase penalties under the Privacy Act to the greater of: AU$ 10 million, three times the value of the benefit obtained through the misconduct, or 10% of annual turnover (as well as introducing the framework for a binding online privacy code for social media and certain other online platforms including data brokerage services and platforms with more than 2,500,000 end users in Australia (excluding customer loyalty schemes).
1.3 million) in total, not up to AUD 2.1 million x 300,000. Australia regulates data privacy and protection through a mix of federal, state and territory laws. If successful, the resulting fine(s) imposed on Facebook could be staggering and a significant 'game-changer' in Australian privacy. There is currently no right provided under Australian privacy law to request not be subject to automatic decision-making, unless such results in discrimination in which case there are possible actions under legislation other than privacy legislation. Section 14 of the Act stipulates a number of privacy rights known as the Australian Privacy Principles (APPs). Once such an assessment is completed (i.e. As is the case with Australian privacy laws, Zendesk acts as the processor, not collector of the data, of its New Zealands customers customers. The Privacy Act regulates the handling of personal information by relevant entities and under the Privacy Act, the Privacy Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement remedial efforts. Following the release of the Australian Competition and Consumer Commissions Digital Platforms Inquiry report in December 2019, the Australian Government accepted the need for proposed reforms to the Privacy Act. Where a law or court order expressly requires an entity to collect the specified information then that will be sufficient to establish that the precondition has been met. http://privacy.org.nz/information-privacy-principles. While this is appropriate for contracting, the OAIC has given guidance that, subject to a consideration of the capacity of each relevant individual, a person of at least 15 years old can generally be notified of a privacy collection statement and/or consent to the collection their sensitive information. International: How are companies dealing with transfer impact assessments in practice? The Privacy Commissioner can also seek the imposition of a fine for a serious invasion of privacy (i.e.
Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs. Also, all eligible data breaches must be notified to the OAIC and all affected individuals. Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in place.
However, under the general law the age of majority in Australia is 18 years of age. mccrimmon Other sectors across the economy will be added to the CDR over time. individuals in a non-business capacity), employee records once held by the employer (as to which please see Section 13), political acts and practices (e.g. 6.3 million), three times any benefit obtained from the invasion breach (whichever the greater) and 10% of Australian annual revenue.This expected minimum five-fold increase in the available fine under the Privacy Act and the increased budget given to the Office of the Australian Information Commissioner ('OAIC') has led to greater own-motion investigations (and levying of fines) by the OAIC in the past 12-18 months. All processing (i.e. The effect is that, even where an offshore entity (e.g. Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified individuals. The Australian Government has announced (and it is expected by 31 December 2021 to pass) increased fines under the Privacy Act 1988 (Cth) No. The OAIC's interpretation of carrying on business in Australia' takes into account the statutory object of the Privacy Act of 'protecting the privacy of individuals and the responsible handling of personal information collected from individuals in Australia'. The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the individuals consent and (among other things) the individual is told that they can opt out of receiving marketing from the organization. [1], The Privacy Act was amended in 2000 to cover the private sector. Importantly, where the Privacy Commissioner undertakes an investigation of a complaint which is not settled, it is required to ensure that the results of that investigation are publicly available.
Where it is not practicable to notify the affected individuals individually, an organization that has suffered an eligible data breach must make a public statement on its website containing certain information as required under the Privacy Act, and take reasonable steps to publicise the contents of the statement. For further information about these entities and DLA Piper's structure, please refer to our Legal Notices.
Unlike Europe, Australian privacy law does not distinguish between 'data processors' and 'data controllers.'. Save and organize information most relevant to you, Share your research and collaborate with other DataGuidance users, Get alerts based on your topics of interest, Comparing Comprehensive US State Laws: A guide to compliance, USA: Amended American Data Privacy and Protection Act - Road to a US federal privacy law. Furthermore, fines of up to AU$440,000 for an individual and AU$2.2 million for corporations may be requested by the Privacy Commissioner and imposed by the Courts for serious or repeated interferences with the privacy of individuals. If this is impracticable then notification must occur as soon as possible after the collection of that information. 2022 DLA Piper. By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (AA Act) provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on "Designated Communications Providers". That is, personal information cannot be kept indefinitely and all document/records/data retention policies must include appropriate provisions requiring deletion/de-identification of personal information in accordance with APP 11.2. If these changes proceed, they would bring penalties for corporations in line with those already in force under the Competition and Consumer Act 2010 (Cth) for breaches of the Australian Consumer Law. Further, organizations may have additional obligations to notify other regulators of data breaches in certain circumstances including under the Prudential Standard CPS 234 Information Security ("CPS 234") which aims to strengthen APRA-regulated entities' resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively in the event of a breach. The right to request not to receive direct marketing and to not have the individual's personal information disclosed or used for direct marketing is covered under APP 7.6. However, such does not avoid the obligation under APP 5 to notify individuals of the prescribed matters (APP 5.2) at or before the time of or, as soon as practicable, after the collection of that information. the requirement or authorisation by or under Australian law or a court/tribunal order) are exceptions from the requirement to obtain consent to collect relevant sensitive information. Even where an exception permits the collection of sensitive information without consent, the entity is still obliged to meet this precondition to the collection. Also, please see the Introduction to this Guidance Note under 'New Developments'. Over the past 18-24 months, another key development is the increasing role of the Australian Competition and Consumer Commission ('ACCC') in enforcing consumer privacy. As well as the current prosed changes, a broader review of the Privacy Act is currently being undertaken by the Australian Government, in accordance with the published terms of reference. In addition, a number of Australian States also have their own privacy laws that regulate State Government agencies and private enterprise contractors to the State Governments and, in some cases, health records. Depending on the organization, and how and by which government agency it is regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme. Additional specific requirements (more onerous than for sensitive information) are included in or incorporated into Australian privacy law for 'Tax File Number information' and 'credit information'. There is no specific 'right to erasure' currently given to individuals under Australian privacy law. The right to seek correction of the personal information held by the APP entity about that individual is covered by APP 13.1 and the right to have any correction notified to third parties to whom the personal information was provided by the APP entity is covered by APP 13.2.
The Privacy Act currently contains an exemption for employee records, such that any records containing personal information which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act. Additionally, specific requirements for commercial electronic messaging are outlined in Electronic Marketing. Anyone who fails to answer the Commissioner may be subject to a fine of up to $2,000 and/or year-long imprisonment (under section 65). Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under the GDPR) will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs.
A Privacy Impact Assessment ('PIA') is contemplated by Australian privacy law but, apart from government agencies, is not mandated. Privacy Act 1988 (Cth) No.
The Report entitled For Your Information: Australian Privacy Law and Practice[6][7] recommended significant changes be made to the Privacy Act, as well as the introduction of a statutory cause of action for breach of privacy. Again similar to 'legal obligations' noted above, an entity can dispense with obtaining consent from an individual for the collection of sensitive information where such information is reasonably necessary to assist the location of a person that has been reported missing or which is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual or to public health or safety. This is, in effect, Australian privacy law's 'right to be informed', APP 5.2 provides the prescribed matters that must be notified and these include who is collecting, the purpose(s) for the collection, what use will be made of the information, and to whom it may be disclosed (and whether any of those disclosures are to recipients outside of Australia). The mandatory data breach notification includes data breaches that relate to: In summary, the regime requires organizations to notify the OAIC and affected individuals of "eligible data breaches" (in accordance with the required contents of a notice). The following is a brief summary of how our privacy policy complies with and/or relates to the specific laws and privacy protection principles put forth by the governments of Australia and New Zealand.
APP 5 (notification of collecting personal information) requires entities to ensure that at before, at the time of, or as soon as practicable after, an entity collects personal information from an individual the entity must take such steps as are reasonable in the circumstances to notify the individual of the collection of the personal information;
All rights reserved.
'Data processing records' are not specifically provided for in, or required by, Australian privacy law. The sending of electronic marketing (referred to as 'commercial electronic messages' in Australia) is regulated under the Spam Act 2003 (Cth) (Spam Act) and enforced by the Australian Communications and Media Authority. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers but also to business consumers and related products. Please also send me occasional emails about Zendesk products and services. 'Consent' (meaning express or implied consent) is required under APP 3.3 for the collection of sensitive information, including health information, from an individual.
However, the processing of de-identified or anonymous data (if it cannot be reasonably re-identified) is not covered by the Privacy Act/APPs. APP 7 (direct marketing) restricts the use or disclosure of personal information for direct marketing unless an exception applies; and If you consider that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take. APP 1 lists the information which is required to be included in a privacy policy. Key non-binding Guidelines and Guides are issued by the OAIC and are available on theOAIC website, of note: Noteworthy recent decisions, determinations, and undertakings obtained by the Privacy Commissioner include: Recent court action taken by the OAIC against Facebook Inc. in relation to the Cambridge Analytica activities seeks to impose such fines for the first time. While this is not a 'legal basis' for collection, subject to meeting the requirement of APP 3, where there is a contract between the entity and the individual this will usually provide any required consent for the collection. whether the information or opinion is true or not; and. In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice requirements outlined above also apply to any personal information collected from a third party. The APPs regulate the collection, use and disclosure of personal information, and also allow individuals to access their personal information and have it corrected if it is incorrect. Organizations must provide individuals with required notice on receipt of personal information from a third party, even though they did not collect personal information directly from the individual. In addition to the Privacy Act/APPs, there is a Privacy Regulation 2013, legally binding Privacy (Credit Reporting) Code and rules and guidelines, for example, in relation to privacy in the conduct of medical research and Tax File Numbers ('TFNs') which have the force of law and apply in specific areas/to specific types of information. From 1 July 2020, the consumer data right ('CDR'), introduced by amendments to the Competition and Consumer Act 2010 (Cth) and the Privacy Act, went live for limited data sharing in relation to the four major banks (as the first part of the so called 'open banking regime'). 'Pseudonym' and 'pseudonymisation', absent a specific definition in the Privacy Act, are given their ordinary dictionary definitions which, in practice, will be little different to the definition in the GDPR.
Specifically, the are no specific legal requirements regarding the use of cookies (or any similar technologies). It is required or authorized by law or on behalf of an enforcement agency.
A draft bill has been published which would increase penalties under the Privacy Act to the greater of: AU$ 10 million, three times the value of the benefit obtained through the misconduct, or 10% of annual turnover (as well as introducing the framework for a binding online privacy code for social media and certain other online platforms including data brokerage services and platforms with more than 2,500,000 end users in Australia (excluding customer loyalty schemes).
1.3 million) in total, not up to AUD 2.1 million x 300,000. Australia regulates data privacy and protection through a mix of federal, state and territory laws. If successful, the resulting fine(s) imposed on Facebook could be staggering and a significant 'game-changer' in Australian privacy. There is currently no right provided under Australian privacy law to request not be subject to automatic decision-making, unless such results in discrimination in which case there are possible actions under legislation other than privacy legislation. Section 14 of the Act stipulates a number of privacy rights known as the Australian Privacy Principles (APPs). Once such an assessment is completed (i.e. As is the case with Australian privacy laws, Zendesk acts as the processor, not collector of the data, of its New Zealands customers customers. The Privacy Act regulates the handling of personal information by relevant entities and under the Privacy Act, the Privacy Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement remedial efforts. Following the release of the Australian Competition and Consumer Commissions Digital Platforms Inquiry report in December 2019, the Australian Government accepted the need for proposed reforms to the Privacy Act. Where a law or court order expressly requires an entity to collect the specified information then that will be sufficient to establish that the precondition has been met. http://privacy.org.nz/information-privacy-principles. While this is appropriate for contracting, the OAIC has given guidance that, subject to a consideration of the capacity of each relevant individual, a person of at least 15 years old can generally be notified of a privacy collection statement and/or consent to the collection their sensitive information. International: How are companies dealing with transfer impact assessments in practice? The Privacy Commissioner can also seek the imposition of a fine for a serious invasion of privacy (i.e.
Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs. Also, all eligible data breaches must be notified to the OAIC and all affected individuals. Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in place.
However, under the general law the age of majority in Australia is 18 years of age. mccrimmon Other sectors across the economy will be added to the CDR over time. individuals in a non-business capacity), employee records once held by the employer (as to which please see Section 13), political acts and practices (e.g. 6.3 million), three times any benefit obtained from the invasion breach (whichever the greater) and 10% of Australian annual revenue.This expected minimum five-fold increase in the available fine under the Privacy Act and the increased budget given to the Office of the Australian Information Commissioner ('OAIC') has led to greater own-motion investigations (and levying of fines) by the OAIC in the past 12-18 months. All processing (i.e. The effect is that, even where an offshore entity (e.g. Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified individuals. The Australian Government has announced (and it is expected by 31 December 2021 to pass) increased fines under the Privacy Act 1988 (Cth) No. The OAIC's interpretation of carrying on business in Australia' takes into account the statutory object of the Privacy Act of 'protecting the privacy of individuals and the responsible handling of personal information collected from individuals in Australia'. The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the individuals consent and (among other things) the individual is told that they can opt out of receiving marketing from the organization. [1], The Privacy Act was amended in 2000 to cover the private sector. Importantly, where the Privacy Commissioner undertakes an investigation of a complaint which is not settled, it is required to ensure that the results of that investigation are publicly available.
Where it is not practicable to notify the affected individuals individually, an organization that has suffered an eligible data breach must make a public statement on its website containing certain information as required under the Privacy Act, and take reasonable steps to publicise the contents of the statement. For further information about these entities and DLA Piper's structure, please refer to our Legal Notices.
Unlike Europe, Australian privacy law does not distinguish between 'data processors' and 'data controllers.'. Save and organize information most relevant to you, Share your research and collaborate with other DataGuidance users, Get alerts based on your topics of interest, Comparing Comprehensive US State Laws: A guide to compliance, USA: Amended American Data Privacy and Protection Act - Road to a US federal privacy law. Furthermore, fines of up to AU$440,000 for an individual and AU$2.2 million for corporations may be requested by the Privacy Commissioner and imposed by the Courts for serious or repeated interferences with the privacy of individuals. If this is impracticable then notification must occur as soon as possible after the collection of that information. 2022 DLA Piper. By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (AA Act) provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on "Designated Communications Providers". That is, personal information cannot be kept indefinitely and all document/records/data retention policies must include appropriate provisions requiring deletion/de-identification of personal information in accordance with APP 11.2. If these changes proceed, they would bring penalties for corporations in line with those already in force under the Competition and Consumer Act 2010 (Cth) for breaches of the Australian Consumer Law. Further, organizations may have additional obligations to notify other regulators of data breaches in certain circumstances including under the Prudential Standard CPS 234 Information Security ("CPS 234") which aims to strengthen APRA-regulated entities' resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively in the event of a breach. The right to request not to receive direct marketing and to not have the individual's personal information disclosed or used for direct marketing is covered under APP 7.6. However, such does not avoid the obligation under APP 5 to notify individuals of the prescribed matters (APP 5.2) at or before the time of or, as soon as practicable, after the collection of that information. the requirement or authorisation by or under Australian law or a court/tribunal order) are exceptions from the requirement to obtain consent to collect relevant sensitive information. Even where an exception permits the collection of sensitive information without consent, the entity is still obliged to meet this precondition to the collection. Also, please see the Introduction to this Guidance Note under 'New Developments'. Over the past 18-24 months, another key development is the increasing role of the Australian Competition and Consumer Commission ('ACCC') in enforcing consumer privacy. As well as the current prosed changes, a broader review of the Privacy Act is currently being undertaken by the Australian Government, in accordance with the published terms of reference. In addition, a number of Australian States also have their own privacy laws that regulate State Government agencies and private enterprise contractors to the State Governments and, in some cases, health records. Depending on the organization, and how and by which government agency it is regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme. Additional specific requirements (more onerous than for sensitive information) are included in or incorporated into Australian privacy law for 'Tax File Number information' and 'credit information'. There is no specific 'right to erasure' currently given to individuals under Australian privacy law. The right to seek correction of the personal information held by the APP entity about that individual is covered by APP 13.1 and the right to have any correction notified to third parties to whom the personal information was provided by the APP entity is covered by APP 13.2.
The Privacy Act currently contains an exemption for employee records, such that any records containing personal information which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act. Additionally, specific requirements for commercial electronic messaging are outlined in Electronic Marketing. Anyone who fails to answer the Commissioner may be subject to a fine of up to $2,000 and/or year-long imprisonment (under section 65). Each APP entity that obtains/receives personal information (even as what may be considered a 'data processor' under the GDPR) will effectively be considered a data controller under Australian law and has its own separate and primary privacy obligations under the Privacy Act/APPs.
A Privacy Impact Assessment ('PIA') is contemplated by Australian privacy law but, apart from government agencies, is not mandated. Privacy Act 1988 (Cth) No.
The Report entitled For Your Information: Australian Privacy Law and Practice[6][7] recommended significant changes be made to the Privacy Act, as well as the introduction of a statutory cause of action for breach of privacy. Again similar to 'legal obligations' noted above, an entity can dispense with obtaining consent from an individual for the collection of sensitive information where such information is reasonably necessary to assist the location of a person that has been reported missing or which is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual or to public health or safety. This is, in effect, Australian privacy law's 'right to be informed', APP 5.2 provides the prescribed matters that must be notified and these include who is collecting, the purpose(s) for the collection, what use will be made of the information, and to whom it may be disclosed (and whether any of those disclosures are to recipients outside of Australia). The mandatory data breach notification includes data breaches that relate to: In summary, the regime requires organizations to notify the OAIC and affected individuals of "eligible data breaches" (in accordance with the required contents of a notice). The following is a brief summary of how our privacy policy complies with and/or relates to the specific laws and privacy protection principles put forth by the governments of Australia and New Zealand.
APP 5 (notification of collecting personal information) requires entities to ensure that at before, at the time of, or as soon as practicable after, an entity collects personal information from an individual the entity must take such steps as are reasonable in the circumstances to notify the individual of the collection of the personal information;
All rights reserved.
'Data processing records' are not specifically provided for in, or required by, Australian privacy law. The sending of electronic marketing (referred to as 'commercial electronic messages' in Australia) is regulated under the Spam Act 2003 (Cth) (Spam Act) and enforced by the Australian Communications and Media Authority. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers but also to business consumers and related products. Please also send me occasional emails about Zendesk products and services. 'Consent' (meaning express or implied consent) is required under APP 3.3 for the collection of sensitive information, including health information, from an individual.
However, the processing of de-identified or anonymous data (if it cannot be reasonably re-identified) is not covered by the Privacy Act/APPs. APP 7 (direct marketing) restricts the use or disclosure of personal information for direct marketing unless an exception applies; and If you consider that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take. APP 1 lists the information which is required to be included in a privacy policy. Key non-binding Guidelines and Guides are issued by the OAIC and are available on theOAIC website, of note: Noteworthy recent decisions, determinations, and undertakings obtained by the Privacy Commissioner include: Recent court action taken by the OAIC against Facebook Inc. in relation to the Cambridge Analytica activities seeks to impose such fines for the first time. While this is not a 'legal basis' for collection, subject to meeting the requirement of APP 3, where there is a contract between the entity and the individual this will usually provide any required consent for the collection. whether the information or opinion is true or not; and. In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice requirements outlined above also apply to any personal information collected from a third party. The APPs regulate the collection, use and disclosure of personal information, and also allow individuals to access their personal information and have it corrected if it is incorrect. Organizations must provide individuals with required notice on receipt of personal information from a third party, even though they did not collect personal information directly from the individual. In addition to the Privacy Act/APPs, there is a Privacy Regulation 2013, legally binding Privacy (Credit Reporting) Code and rules and guidelines, for example, in relation to privacy in the conduct of medical research and Tax File Numbers ('TFNs') which have the force of law and apply in specific areas/to specific types of information. From 1 July 2020, the consumer data right ('CDR'), introduced by amendments to the Competition and Consumer Act 2010 (Cth) and the Privacy Act, went live for limited data sharing in relation to the four major banks (as the first part of the so called 'open banking regime'). 'Pseudonym' and 'pseudonymisation', absent a specific definition in the Privacy Act, are given their ordinary dictionary definitions which, in practice, will be little different to the definition in the GDPR.