Privacy Law and Policy Reporter
(Federal Privacy Commissioner, February 1998).
(The summary headings do not form part of the principles themselves.)
We will only collect information that is necessary for what we do
1.1 An organisation should only collect personal information that is necessary for one or more of its legitimate functions or activities.
We will be fair in the way we collect information about you
1.2 An organisation should only collect personal information by lawful and fair means and not in an unreasonably intrusive way.
We will tell you who we are and what we intend to do with information about you
1.3 At or before the time an organisation collects personal information from the subject of the information (or, if that is not practicable, as soon as practicable thereafter), it should take reasonable steps to ensure that the subject of the information is aware of:
(a) the identity of the organisation and how to contact it;
(b) the fact that he or she is able to gain access to the information;
(c) the purposes for which the information is collected;
(d) to whom (or the types of individuals or organisations to which) it usually discloses information of this kind;
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
Where practicable, we will collect personal information directly from you
1.4 Where it is reasonable and practicable to do so, an organisation should collect personal information directly from the subject of the information.
If we collect information about you from someone else we will, wherever possible, make sure you know we have done this
1.5 Where an organisation collects personal information from a third party, it should take reasonable steps to ensure that the subject of the information is or has been made aware of the matters listed under item 1.3 above.
Use and disclosure
We will only use or disclose information about you in ways that are consistent with your expectations or are required in the public interest
2.1 An organisation should only use or disclose personal information for a purpose other than the primary purpose of collection (a ‘secondary purpose’) if:
(a)(i) the secondary purpose is related to the primary purpose of collection; and
(ii) the subject of the information would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c)(i) the organisation uses the information for the purpose of direct marketing; and
(ii) it is impracticable for the organisation to seek the individual’s consent before using the information; and
(iii)the organisation gives the individual the express opportunity, at the time of first contact or thereafter upon request, and at no cost, to decline to receive any further direct marketing communications; or
(d) the organisation reasonably believes that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to an individual’s life or health; or
(e) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(f) the use or disclosure is required or specifically authorised by law; or
(g) the use or disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty or for the protection of the public revenue; or
(h) an intelligence or law enforcement agency asks the organisation to use or disclose the personal information on the basis that the use or disclosure is necessary to safeguard the national security of Australia.
2.2 If an organisation uses or discloses personal information under paragraph 2.1(g), it should make a note of the use or disclosure.
We will ensure that information about you is accurate when we collect or use it
3. An organisation should take reasonable steps to make sure that the personal information it collects, uses or discloses is, accurate, complete and up to date.
We will keep information about you secure
4.1 An organisation should take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 An organisation should take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.
We will be open with you about what kinds of personal information we hold and what we do with it
5.1 An organisation should have clearly expressed policies on its management of personal information which should be readily available.
5.2 An organisation, on request, should take reasonable steps to let individuals know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
Wherever possible we will let you see the information we hold about you and correct it if it is wrong
6.1 Where an organisation holds personal information about an individual, it should provide the individual with access to the information on request, except to the extent that:
6.2 Where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the decision rather than direct access to the information.
6.3 If an organisation has given an individual an explanation under 6.2, and the individual believes that direct access to the evaluative information is necessary to provide a reasonable explanation of the reasons for the decision, the individual should have access to an independent process to review whether that is so.
6.4 Wherever direct access by the individual is impracticable or inappropriate, the organisation and the individual should consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.5 If an organisation levies charges for providing access to personal information, those charges:
6.6 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up to date, the organisation should take reasonable steps to correct the information so that it is accurate, complete and up to date.
6.7 If the individual and the organisation disagree about whether the information is accurate, complete and up to date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up to date, the organisation should take reasonable steps to do so.
6.8 An organisation should provide reasons for denial of access or correction.
We will limit our use of identifiers that government agencies have assigned to you
7.1 An organisation should not adopt as its own identifier an identifier that has been assigned by a government agency (or by an agent of, or contractor to, a government agency acting in its capacity as agent or contractor).
7.2 An organisation should not use or disclose an identifier assigned to an individual by a government agency (or by an agent of or contractor to a government agency acting in its capacity as agent or contractor) unless one of paragraphs 2.1(d) to 2.1(h) applies.
If we can (and you want to) we will deal with you anonymously
8. Wherever it is lawful and practicable, individuals should have the option of not identifying themselves when entering transactions.
We will take steps to protect your privacy if we send personal information about you outside Australia
9. An organisation should only transfer personal information outside Australia if:
(i) it is not practicable to obtain the consent of the subject of the information to that transfer; and
(ii) if it were practicable to obtain such consent, the subject of the information would be likely to give it; or
We will limit the collection of highly sensitive information about you
10.1 An organisation should not collect personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or details of health or sex life unless:
10.2 Paragraph 10.1 does not apply where:
(i) as required by law; or
(ii) in accordance with rules established by competent bodies dealing with obligations of professional confidentiality.
The act of gathering, acquiring, or obtaining personal information from any source, including third parties, by any means.
Free and informed agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organisation seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
In relation to personal information, to correct means to amend, delete or complete.
Making personal information available to others outside the organisation, other than the subject of the information. Disclosure includes publication of personal information through any medium.
A magazine, book, newspaper or other publication that is or will be generally available to members of the public (see definition of personal information’).
An identifier (usually a number) assigned by an organisation to an individual to uniquely identify that individual for the purposes of the operations of the organisation. Does not include an individual’s name.
A living natural person.
The Australian Security Intelligence Organisation, the Australian Secret Intelligence Service, the Defence Intelligence Organisation or the Defence Signals Directorate.
The Australian Federal Police, the National Crime Authority, or any other Commonwealth, State or Territory law enforcement agency that is performing a lawful national security function.
An association, business, charitable organisation, club, government body, institution, professional practice, union, corporation, group of bodies corporate that are related within the meaning of the Corporations Law, or any other collective entity. These principles do not apply to any organisation already subject to the Privacy Act 1988, to the extent that it is covered by that Act.
Information, whether fact, opinion or evaluative material, about an identifiable individual that is recorded in any form. Personal information does not include a generally available publication.
Such steps (if any) as are, in the circumstances, reasonable.
In relation to personal information, this term means the individual to whom the information relates.
In relation to personal information, a third party is any organisation or individual other than the organisation holding the information and the individual who is the subject of the information.
Refers to the treatment and handling of personal information within an organisation.