There are two sets of standards in privacy principles. They are binding on the organisations to which they apply, and individuals can make a complaint if they believe that the principles have been breached.
The first is the Information Privacy Principles, which set standards required of Australian and ACT government agencies in their data collection, management and disclosure practices. The second is the National Privacy Principles which apply to private sector organisations. Again, individuals can make complaints if they believe their rights have been breached under the Privacy Principles as applicable to the public or private sector.
Information Privacy Principles
The ‘Information Privacy Principles’ for Commonwealth and ACT government agencies are currently available online. There are 11 principles in total, covering:
- Manner and purpose of collection of personal information: collection of information for a record or generally available publication must be for a lawful purpose and directly related to that purpose;
- Solicitation of personal information from a specific individual: ensure that the person is aware of the purpose for which the information is being collected, that it is authorised under law, and to who the information may be disclosed by the collector;
- Solicitation of personal information generally: where personal information is solicited for inclusion in a generally available publication, the collector shall take steps to ensure the relevance of information collected, and that the information does not unreasonably intrude upon the personal affairs of the individual;
- Storage and security of personal information: a record-keeper must ensure there are reasonable safeguards to prevent loss, unauthorised access, use, modification or disclosure, or any other misuse of information, by non-involved parties or by parties who have a limited right of access;
- Information relating to records kept by record-keeper: records of information kept must be accessible, except where the record-keeper is required or authorised to refuse access. Records must contain information on the nature and purpose of the information, classes of individuals concerned, and the age of the records. Persons entitled to access the information should be helped to obtain access;
- Access to records containing personal information: an individual should have access to their personal information as according to law. There may be a lawful reason to refuse access;
- Alteration of records containing personal information: a record-keeper must take reasonable steps to ensure the accuracy or information in a record, or to append a record to the original record indicating updates or changes;
- Record-keeper to check accuracy, etc. of personal information before use: a record-keeper must take reasonable steps to ensure the accuracy, completeness and up-to-date nature of records;
- Personal information to be used only for relevant purposes: information shall not be used except for a purpose to which the information is relevant;
- Limits on use of personal information: information can only be used for the purpose for which it was obtained unless the individual concerned consents to another use, the record-keeper believes use of the information is necessary in a situation threatening life or health of the individual, the law permits another use, or it is reasonably necessary for the enforcement of the criminal law; and
- Limits on disclosure of personal information: disclosure is limited to the purpose for which the information was obtained, consent of the individual concerned, and for similar reasons to those contained in Principle 10.
National Privacy Principles
The National Privacy Principles, applicable to private sector organisations are accessible online.
- Collection: what an organisation can collect, how to collect from third parties and, generally, what they should tell individuals about the collection.
- Use and disclosure: if certain conditions are met, an organisation does not always need an individual’s consent to use and disclose personal information. There are rules about direct marketing.
- Information quality: an organisation must take steps to ensure the personal information it holds is accurate and up-to-date, and is kept secure from unauthorised use or access.
- Security: as above
- Openness: an organisation must have a policy on how it manages personal information, and make it available to anyone who asks for it.
- Access and correction: this gives individuals a general right of access to their personal information, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.
- Identifiers: generally prevents an organisation from adopting an Australian Government identifier for an individual (e.g. Medicare numbers) as its own.
- Anonymity: where possible, organisations must give individuals the opportunity to do business with them without the individual having to identify themselves.
- Trans-border data flows: outlines how organisations should protect personal information that they transfer outside Australia.
- Sensitive information: sensitive information includes information such as health, racial or ethnic background, or criminal record. Higher standards apply to the handling of sensitive information.