10. Criminal sanctions may apply to people dealing with protected information
The NDIS Act contains a number of criminal offences for the collection, recording, disclosure and access of protected information. The offences that carry a penalty of 2 years imprisonment or 120 penalty units and, in summary, relate to:
- unauthorised collection of protected information (section 61);
- unauthorised use or disclosure, including making a record of protected information (section 62);
- soliciting the disclosure of protected information (section 63); and
- offering to supply protected information (section 64).
The NDIS Act allows NDIA staff to properly perform their duties. An NDIA staff member does not commit an offence if the person is authorised, or required by the NDIS Act to collect, record, disclose or use the protected information.
The criminal offences in the NDIS Act are not limited to NDIA staff. They apply to all people, including contractors of the NDIA, as offences in the NDIS Act specifically apply to 'a person' who deals with protected information.
When protected information is disclosed to a person other than the NDIA, it still retains its relevant protections under the NDIS Act and the Privacy Act.
In addition, the provisions of the Privacy Act are enforced by the Office of the Australian Information Commissioner (OAIC). The OAIC has the power to make determinations in relation to privacy breaches, initiate investigations, impose sanctions (such as the payment of compensation) and the power to accept an enforceable undertaking from an APP entity.
Additionally, the OIAC may make an application to the Federal Court or Federal Circuit Court to make an order that an entity pay a civil penalty, where there has been a serious or repeated interference with privacy. It is up to the court to decide whether the entity has contravened the civil penalty provision and the appropriate penalty amount.