Principles underpinning privacy legislation


Principles underpinning privacy legislation

The new privacy law to apply to Australian private industry from 21 December 2001 is based on 10 principles that express the major issues making-up a legitimate privacy regime.


Get unlimited access to all of our content.


The new privacy law to apply to Australian private industry from 21 December 2001 is based on 10 principles that express the major issues making-up a legitimate privacy regime. The law is concerned to control the collection and use of information about individuals held by businesses. These principles are summarised below.

The 10 NPPs

NPP 1 requires that organisations:

  • work out what information is necessary for the functions of the organisation;
  • only collect information in a lawful, fair and not unreasonably intrusive way;
  • tell the individual whose information the organisation collects, why it wants it and what the organisation intends to do with it;
  • collect information directly from an individual in all cases where this is possible; and
  • if the organisation is unable to collect information directly from an individual, taking reasonable steps to let him or her know what the organisation will do with their information.

Organisations will only be able to disclose information for secondary purposes where:

  • this is within the reasonable expectation of the individuals concerned;

  • the individual has consented;

  • information is necessary for health research or to prevent a threat to life or health;
  • the information is required or authorised by law;
  • the information is reasonably necessary for law enforcement; or
  • cases where special rules apply to direct marketing.
  • Organisations must take reasonable steps to ensure that the information they collect is accurate, complete and up to date.
  • Organisations will need to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.
  • Organisations will need to take reasonable steps to destroy or permanently de-identify personal information if they no longer need it for any purpose.
  • Organisations will need to have a policy for the handling of their personal information and make this policy available to whoever asks for it on request.
  • Organisations will need to take reasonable steps to let people know how they intend to handle their personal information.
  • Organisations will need to provide access to personal information on request of an individual unless to do so would:
  1. be a threat to life or health;
  2. other peoples privacy;
  3. be unlawful;

  4. a threat to national security;
  5. the information is needed for legal proceedings or would prejudice negotiations;
  6. the request is frivolous or vexatious; or
  7. to provide access would prejudice an investigation of unlawful activity for law enforcement.

Organisations will also need to explain to individuals why they choose to deny access if this is the case, however they will be able to charge reasonable fees to provide such access.

Individuals will also be able to ask organisations to correct personal information held about them which they believe to be wrong or which may be inaccurate, incomplete or not up to date. If the individual and the organisation disagree about this fact, certain steps will need to be followed.

  • Organisations will not be allowed to adopt a Commonwealth Government identifier as the organisation's identifier to identify individuals. An individual's name or ABN is not an identifier
  • Where it is lawful and practical to do so, organisations must give individuals an option of not identifying themselves when entering into transactions with the organisation.

This principle regulates the way that personal information can be sent out of the country. NPP 9 provides that a recipient of the personal information must be subject to a privacy law, scheme or contract which affords substantially the same protection as that provided by the 10 NPPs. Alternatively, the particular individual involved must consent to the transfer or it must be shown that the transfer of the personal information was necessary for the performance of the contract between the individual and organisation.

  • Other exceptions to the requirement that the recipient must have substantially similar privacy laws to ours include:
  1. if the transfer of the data benefits the individual;
  2. it is not practical to obtain the consent of the individual to that transfer;
  3. if it was practical for the individual to give consent and he or she did not;
  • that he or she would be likely to give it; or
  • if it can be shown that the organisation took reasonable steps to ensure that the information collected would not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the 10 NPPs.

This is the principle which says that organisations cannot collect sensitive information which would include health, ethnicity, sexuality information etc unless the individual has consented or it is required by law or in special cases relating to the provision of health services.


Coming soon... in the coming weeks,WorkplaceInfo will look at the 10 NPPs in detail and explore how these will affect your business. 


Post details