The National Privacy Principles are a high level statement of principle. The Privacy Commissioner has issued guidelines which provide specific information about what the NPPs mean and how they are to be applied.
In addition, on 18 May 2005 the Privacy Commissioner released a review of the private sector provisions of the Privacy Act 1988. This review recommends amendments to certain NPPs found in the Privacy Act, namely those affecting privacy notices, direct marketing and due diligence.
The summary of the NPPs below incorporates these recommendations. We've also included some practical guidance notes to help you understand how you can comply with the NPPs.
This summary should be used as a guide only - for more, go back to our NPPs and privacy codes page.
The ten NPPs cover:
- NPP 1 - Collection
- NPP 2 - Use and disclosure
- NPP 3 - Data quality
- NPP 4 - Data security
- NPP 5 - Openness
- NPP 6 - Access & correction
- NPP 7 - Identifiers
- NPP 8 - Anonymity
- NPP 9 - Transborder data flows
- NPP 10 - Sensitive information
NPP 1 - Collection
An organisation must only collect personal information that's necessary for one or more of its legitimate functions or activities (the primary purpose).
Comment: If it cannot effectively pursue its functions or activities without collecting personal information, then that personal information is 'necessary'.
If it receives personal information that is not 'necessary' for its functions or activities, it must not retain that information.
Organisations will need to carefully identify and assess all their functions and activities, including those ancillary and incidental ones.
An organisation must only collect personal information by lawful and fair means and not in an unreasonably intrusive way.
At the time of collection (or as soon as practicable afterwards) it must take reasonable steps to ensure that the individual is told:
- the identity of the organisation and how to contact it;
- that they can access the information;
- why the information is collected;
- the disclosure practices of the organisation; and
- any law that requires the particular information to be collected and the consequences (if any) for the individual if the information isn't provided.
Comment: If the information is collected via a form, this information could be provided through a statement on the form.
If it's collected via a website, this information must be included in a clearly identified privacy statement. The statement should be reasonably prominent - users should not have to click through a number of pages to reach it.
If a website uses cookies, it must let consumers know what information is being collected, and how it is used, stored and disclosed.
Where practicable, an organisation should collect personal information directly from the individual. If it doesn't, it must take reasonable steps to make sure the above guidelines are followed in relation to information collected from elsewhere.
Note: as discussed above, in the Privacy Commissioner May 2005 review of the private sector provisions of the Privacy Act 1988, the Commissioner suggests that the Government considers amending NPP 1.3 and 1.5 to clarify that there may be situations in which it may be a reasonable step not to give a privacy collection statement. This is in response to concerns that businesses, relying on the existing OPC information sheet on what are 'reasonable steps', might still be found to be in breach of the Privacy Act if a court were to interpret NPP1 more narrowly than the OPC has. The OPC also recommends that all privacy notices be shorter and dated, to avoid the issue of organisations amending privacy statements unilaterally (and without notice).
NPP 2 - Use and disclosure
As a general rule, an organisation should only use or disclose personal information for the purpose for which it was collected. But an organisation can use or disclose personal information about an individual for another purpose if:
- the individual has consented; or
- the secondary purpose is related to the primary purpose and might reasonably be expected. If the personal information is sensitive information, the secondary purpose must be directly related to the primary purpose.
Comment: It appears that an organisation can create a reasonable expectation merely by telling an individual that the information might be used for the secondary purpose. So if an organisation wants to use information for two related purposes, it's acceptable to inform rather than obtain consent.
If the secondary purpose is direct marketing, and the information is not sensitive information, use is permitted for direct marketing if:
- it's impracticable to seek the individual's consent before the particular use;
- there is no charge for implementing an individual's request not to be the target of direct marketing;
- the individual has not made such a request; and
- the individual is told (at each contact) that he or she may express a wish not to receive any further direct marketing communications.
The organisation must list its address, telephone number and contact addresses in each direct marketing communication.
An organisation may also use or disclose personal information for some secondary purposes related to the public interest, such as law enforcement, public safety, research purposes or emergency situations.
Special rules apply to health information.
Also see the Spam Act, which further regulates the sending of unsolicited commercial electronic messages.
Note: as discussed above, in the Privacy Commissioner May 2005 review of the private sector provisions of the Privacy Act 1988, the Commissioner has made some recommendations regarding NPP 2.1 which deals with privacy issues relating to direct marketing. The review recommends that the Federal Government should consider amending the Privacy Act to give individuals a right to opt-out of receiving marketing material under all circumstances, with organisations required to comply with an opt-out request within a specified time. The review also recommends that consideration be given to amending the Privacy Act to require an organisation to take reasonable steps, when asked, to divulge where they obtained an individual's personal information. An organisation would only have to reveal where they themselves got an individual's information, not the ultimate source of that information.
NPP 3 - Data quality
An organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
NPP 4 - Data security
An organisation must take reasonable steps to protect the personal information it holds from misuse, loss and unauthorised access, modification and disclosure. It must destroy personal information - or make it impossible to identify the person it relates to - if it is no longer needed for any purpose, in accordance with NPP 2.
NPP 5 - Openness
Organisations must prepare clearly expressed policies on the management of personal information, which must be available on request. This may be a general statement saying that the organisation abides by the NPPs or an approved privacy code and mentioning any applicable exemptions. It should also briefly state the type of personal information held, the broad purposes for which it is used, and how an individual can access personal information or lodge a complaint.
If requested by an individual, an organisation must take reasonable steps to let the individual know more detail about the sort of personal information it holds, the purpose for which the information is held and how the information is collected, used, stored and disclosed.
Comment: For all affected organisations, a carefully thought out and specifically tailored privacy policy will be a very important part of their customer relations and their compliance plan.
How - and where - you display the policy will also be very important. You may need to publish it in several forms, perhaps as a document as well as online.
NPP 6 - Access & correction
As a general rule, an organisation must, upon request, give the individual access to any personal information held about them.
An organisation doesn't have to give access in some circumstances, for example if:
- it would be unlawful to provide the information;
- it would pose a serious and imminent threat to the life or health of any individual;
- it would have an unreasonable impact upon the privacy of other individuals; or
- the request is frivolous or vexatious.
If providing access would reveal evaluative information about a commercially sensitive decision-making process (for example a credit scoring process used by a credit provider), then the organisation may give an explanation rather than direct access to the information.
An organisation may charge for providing access to personal information, but charges must not be excessive and must not apply to lodging a request for access.
An organisation must also take reasonable steps to correct any personal information if the individual can establish that it is not accurate, up to date or complete. If the organisation doesn't agree that there's a problem with the information it must, if requested, include a statement with the information about the individual's allegations.
Where access is denied, or there is a refusal to correct personal information, the organisation must tell the person who's requested it why.
NPP 7 - Identifiers
An identifier is a number used by a government agency (or its agent or contractor) to identify an individual - for example a Medicare number, tax file number or pension number.
An organisation must not adopt an identifier like this as its own identifier, and generally speaking, should not use or disclose an identifier assigned by a government agency.
NPP 8 - Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions.
NPP 9 - Transborder data flows
An organisation in Australia must take steps to protect an individual's privacy if personal information is sent outside Australia. Information may only be transferred if:
- the organisation reasonably believes a law, binding scheme or contract applies at the destination which effectively delivers privacy standards substantially similar to the NPPs;
- the individual consents to the transfer;
- the transfer is for the benefit of the individual and it's impracticable to obtain consent, but it's likely consent would have been given;
- the transfer is required by a contract between the individual and the organisation, or a contract between the organisation and a third party in the interests of the individual; or
- the organisation has taken reasonable steps to ensure the information won't be held, used or disclosed by its recipient inconsistently with the NPPs.
For more information see the International data flows section.
NPP 10 - Sensitive information
Generally, an organisation is not allowed to collect sensitive information from an individual unless:
- the individual has consented;
- collection is required or authorised by law;
- the information is required to establish or defend a legal or equitable claim; or
- the individual is incapable of consenting and the information is needed because of a serious and imminent threat to the life or health of the individual.
Non-profit organisations, including charities, may collect sensitive information if:
- it relates solely to the members or the organisation, or people who have regular contact with it for the purpose of its activities; and
- the organisation undertakes to the individual that it will not disclose the information without consent.
There are also specific provisions concerning health information. An organisation can collect health information from an individual in certain circumstances.
