Privacy Law and Policy Reporter
These ‘Preliminary Privacy Principles’ were forwarded by the Commissioner to business and consumer groups in late November 1997 as the basis for discussions to take place during December. (General Editor)
These principles are presented by the Privacy Commissioner as part of her consultations with business, community and government on a self-regulatory approach to information privacy protection in the Australian private sector. They are similar to the principles presented for discussion in the Commissioner’s August 1997 consultation paper Information Privacy in Australia: a National Scheme for Fair Information Practices in the Private Sector, although some changes have been made to reflect the Commissioner’s consultations over the last three months.
The principles reflect the ideas behind most sets of information privacy principles in Australia and overseas but efforts have been made to tailor them to the private sector context. So far as possible, they are expressed in plain language. They are presented for discussion only and do not constitute the Commissioner’s final position.
1.1 An organisation should only collect personal information that is necessary for or directly related to one of its legitimate purposes.
1.2 An organisation should not collect personal information by unlawful or unfair means or in an unreasonably intrusive way.
1.3 When collecting personal information from the subject of the information, an organisation should take reasonable steps to let the person know how it will use the information, to whom it will disclose the information, and the consequences of providing or not providing the information.
1.4 An organisation should take reasonable steps to collect personal information from the subject of the information, rather than a third party.
An organisation should only use or disclose personal information where:
(a) the use or disclosure is for a purpose, or is directly related to a purpose, for which the personal information was collected or generated;
(b) the person to whom the personal information relates has consented to the use or disclosure;
(c) the use or disclosure is necessary to prevent or lessen a serious and imminent threat to a person’s life or health;
(d) the use or disclosure is required or authorised by law;
(e) a person or body with responsibility for investigating criminal offences has asked the organisation to use or disclose personal information, and the organisation has reasonable grounds for believing that the request has been made in connection with a legitimate investigation of criminal offences, and the organisation makes and retains a record of the information it has provided; or
(f) the organisation has reasonable grounds for believing that an offence has been committed and the organisation discloses the personal information in the course of reporting the offence to the relevant authorities.
An organisation should take reasonable steps to make sure that the personal information it collects, holds or uses is of good quality, taking into account the purpose for which the information is collected, held or used.
4.1 An organisation should take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 An organisation should take reasonable steps to destroy personal information if:
(a) the information is no longer needed for the purpose for which it was collected or any directly related purpose; and
(b) there is no legal reason to retain it.
5.1 An organisation should have a general policy of openness about developments, practices and policies with respect to personal information.
5.2 An organisation should take reasonable steps to let people know what sort of personal information it holds, and how it collects, uses, discloses and stores the information.
6.1 If requested to do so, an organisation should take reasonable steps to provide a person with access to the personal information it holds about him or her except where:
(a) providing access would endanger the safety or physical or mental health of any individual; or
(b) providing access would have an unreasonable impact upon the privacy of other individuals; or
(c) providing access would impose unreasonable costs to the organisation; or
(d) providing access would directly and significantly prejudice the commercial position of the organisation; or
(e) the information relates to the investigation of possible fraudulent or other illegal activities; or
(f) providing access would otherwise be unlawful.
6.2 If an organisation holds personal information about a person and the person is able to establish that the information is not of good quality, the organisation should take reasonable steps to correct the information so that it is of good quality.
6.3 If the person and the organisation disagree about the quality of the information and the person asks the organisation to associate with the information a statement disputing its quality, the organisation should take reasonable steps to do so.
6.4 An organisation should take reasonable steps to provide reasons for denial of access or alteration.
7.1 An organisation should not adopt as its own unique identifier an identifier that has been assigned by a government agency or by an organisation providing services under contract to a government agency.
7.2 Unless required by law, an organisation should not compel a person to disclose a unique identifier assigned to the person by a government agency or by an organisation providing services under contract to a government agency.
Wherever possible, people should have the option of not identifying themselves when entering transactions.