74. Regulations

74.—

1. The Minister may make regulations for the purpose of giving effect to the provisions of this Act, and such regulations may—

(a) make different provision for different cases; and

(b) make such supplemental, incidental, consequential, transitional or savings provisions as the Minister considers appropriate.

2. Without limiting the generality of subsection (1), regulations made under this section may—

(a) provide additional safeguards in relation to sensitive personal data;

(b) prescribe retention periods for personal data, to be observed by data controllers;

(c) prescribe the fees which may be imposed under this Act;

(d) prescribe offences for the contravention of the regulations and the penalties therefor, which penalties may exceed the amount specified in section 29(1)(b) of the Interpretation Act but shall not in any event exceed five million dollars; and

(e) prescribe the methods by which personal data may be disposed of.

3. The following instruments mentioned in this Act shall be subject to affirmative resolution—

(a) regulations under section 2 prescribing attributes considered to be biometric data;

(b) orders under section 11(3)(b) (order specifying additional grounds on which processing of personal data may be prevented);

(c) orders under section 19(1) (order describing “specified processing” for which assessment is required);

(d) regulations under section 22(7) prescribing additional circumstances in which a data controller is not obliged to disclose to a data subject the information referred to in section 22(4);

(e) orders under section 24(1)(k), (3) or (4) (orders concerning processing of sensitive personal data);

(f) orders under section 24(5) specifying cases in which conditions for processing sensitive personal data are deemed not to be met regardless of consent of data subject;

(g) regulations mentioned in section 28, prescribing methods for disposal of personal data;

(h) orders under section 31(5) prescribing circumstances when transfer to another State or territory is or is not necessary in the public interest;

(i) orders under section 62(11)(a)(iv) or (v) varying the amount of the fixed penalty imposed for breach of the data protection standards or specifying other offences under this Act to which the fixed penalty shall apply;

(j) orders under section 63(6) amending the Fourth Schedule;

(k) orders under paragraph 6(2) of the Second Schedule specifying the matters to be taken into account in determining whether exemption from the disclosure to data subject requirements is warranted.