If your organisation holds information that was collected before the new regime came into effect, is this information covered by the NPPs?
Some of the NPPs do not generally apply to personal information that was collected by an organisation before 21 December 2001. They include the NPPS relating to:
- collection (NPP 1);
- use and disclosure (NPP 2);
- data quality (NPP 3) - so far as it relates to collection of personal information; and
- sensitive information (NPP 10),
Personal information collected before 21 December 2001 will, however, be subject to those NPPs if the organisation that collected the information was, at the time of collection, subject to an industry code that enforced the NPPs.
Only certain NPPs apply to personal information collected before 21 December 2001. They include the NPPs relating to:
- data quality (NPP 3) - so far as it relates to use or disclosure of personal information;
- data security (NPP 4);
- openness (NPP 5);
- identifiers (NPP 7); and
- transborder data flows (NPP 9)
NPP 8, which states that, where practicable, individuals must be allowed the option of not identifying themselves when entering transactions with an organisation, applies only to transactions entered into after 21 December 2001.
NPP 6, which pertains to an individual's right to access and correct information held about them, applies only to personal information collected after 21 December 2001. The NPP does, however, apply to personal information collected before 21 December 2001 if that information is used or disclosed after the date (unless compliance involves an unreasonable administrative burden or unreasonable expense).
If an organisation updates personal information collected before 21 December 2001, all of
the NPPs (and other provisions within the Private Sector Act) will apply in full to that information.
