Appendix 4
The National Principles for the fair handling of personal information,
1998
Principles
[The summary headings do not form part of the principles themselves.]
Collection
We will only collect information that is necessary for what we do
1.1 An organisation should only collect personal information that is
necessary for one or more of its legitimate functions or activities.
We will be fair in the way we collect information about you
1.2 An organisation should only collect personal information by lawful
and fair means and not in an unreasonably intrusive way.
We will tell you who we are and what we intend to do with information
about you
1.3 At or before the time an organisation collects personal information
from the subject of the information (or, if that is not practicable, as
soon as practicable thereafter), it should take reasonable steps to ensure
that the subject of the information is aware of:
(d) to whom (or the types of individuals or organisations to which)
it usually discloses information of this kind;
(f) the main consequences (if any) for the individual if all or part
of the information is not provided.
Where practicable, we will collect personal information directly from
you
1.4 Where it is reasonable and practicable to do so, an organisation
should collect personal information directly from the subject of the information.
If we collect information about you from someone else we will, wherever
possible, make sure you know we have done this
1.5 Where an organisation collects personal information from a third
party, it should take reasonable steps to ensure that the subject of the
information is or has been made aware of the matters listed under item
1.3 above.
Use and Disclosure
We will only use or disclose information about you in ways that are
consistent with your expectations or are required in the public interest
2.1 An organisation should only use or disclose personal information
for a purpose other than the primary purpose of collection (a `secondary
purpose') if:
(iii) the organisation gives the individual the express opportunity,
at the time of first contact or thereafter upon request, and at no
cost, to decline to receive any further direct marketing communications;
or
(d) the organisation reasonably believes that the use or disclosure
is necessary to prevent or lessen a serious and imminent threat to an
individual's life or health; or
(e) the organisation has reason to suspect that unlawful activity has
been, is being or may be engaged in, and uses or discloses the personal
information as a necessary part of its investigation of the matter or
in reporting its concerns to relevant persons or authorities; or
(g) the use or disclosure is reasonably necessary for the enforcement
of the criminal law or of a law imposing a pecuniary penalty or for
the protection of the public revenue; or
(h) an intelligence or law enforcement agency asks the organisation
to use or disclose the personal information on the basis that the use
or disclosure is necessary to safeguard the national security of Australia.
2.2 If an organisation uses or discloses personal information under paragraph
2.1(g), it should make a note of the use or disclosure.
Data Quality
We will ensure that information about you is accurate when we collect
or use it
3 An organisation should take reasonable steps to make sure that the
personal information it collects, uses or discloses is, accurate, complete
and up to date.
Data Security
We will keep information about you secure
4.1 An organisation should take reasonable steps to protect the personal
information it holds from misuse and loss and from unauthorised access,
modification or disclosure.
4.2 An organisation should take reasonable steps to destroy or permanently
de-identify personal information if it is no longer needed for any purpose.
Openness
We will be open with you about what kinds of personal information
we hold and what we do with it
5.1 An organisation should have clearly expressed policies on its management
of personal information which should be readily available.
5.2 An organisation, on request, should take reasonable steps to let
individuals know, generally, what sort of personal information it holds,
for what purposes, and how it collects, holds, uses and discloses that
information.
Access and Correction
Wherever possible we will let you see the information we hold about
you and correct it if it is wrong
6.1 Where an organisation holds personal information about an individual,
it should provide the individual with access to the information on request,
except to the extent that:
(a) providing access would pose a serious and imminent threat to the
life or health of any individual; or
(b) providing access would have an unreasonable impact upon the privacy
of other individuals; or
(c) providing access would be unduly onerous for the organisation;
or
(d) the request for access is frivolous or vexatious; or
(e) providing access would be likely to prejudice an investigation
of possible unlawful activity; or
(f) providing access would be unlawful; or
(g) denying access is specifically authorised by law; or
(h) the information relates to existing legal dispute resolution proceedings
between the organisation and the individual, and the information would
not be accessible by the process of discovery in those proceedings;
or
(i) providing access would reveal the intentions of the organisation
in relation to negotiations with the individual in such a way as to
prejudice those negotiations; or
(j) an intelligence or law enforcement agency asks the organisation
not to provide access on the basis that providing access would be likely
to cause damage to the national security of Australia.
6.2 Where providing access would reveal evaluative information generated
within the organisation in connection with a commercially sensitive decision-making
process, the organisation may give the individual an explanation for the
decision rather than direct access to the information.
6.3 If an organisation has given an individual an explanation under 6.2,
and the individual believes that direct access to the evaluative information
is necessary to provide a reasonable explanation of the reasons for the
decision, the individual should have access to an independent process
to review whether that is so.
6.4 Wherever direct access by the individual is impracticable or inappropriate,
the organisation and the individual should consider whether the use of
mutually agreed intermediaries would allow sufficient access to meet the
needs of both parties.
6.5 If an organisation levies charges for providing access to personal
information, those charges:
(a) should not be excessive; and
(b) should not apply to lodging a request for access.
6.6 If an organisation holds personal information about an individual
and the individual is able to establish that the information is not accurate,
complete and up to date, the organisation should take reasonable steps
to correct the information so that it is accurate, complete and up to
date.
6.7 If the individual and the organisation disagree about whether the
information is accurate, complete and up to date, and the individual asks
the organisation to associate with the information a statement claiming
that the information is not accurate, complete or up to date, the organisation
should take reasonable steps to do so.
6.8 An organisation should provide reasons for denial of access or correction.
Identifiers
We will limit our use of identifiers that government agencies have
assigned to you
7.1 An organisation should not adopt as its own identifier an identifier
that has been assigned by a government agency (or by an agent of, or contractor
to, a government agency acting in its capacity as agent or contractor).
7.2 An organisation should not use or disclose an identifier assigned
to an individual by a government agency (or by an agent of or contractor
to a government agency acting in its capacity as agent or contractor)
unless one of paragraphs 2.1(d) to 2.1(h) applies.
Anonymity
If we can (and you want to) we will deal with you anonymously
8 Wherever it is lawful and practicable, individuals should have the
option of not identifying themselves when entering transactions.
Transborder Data Flows
We will take steps to protect your privacy if we send personal information
about you outside Australia
9 An organisation should only transfer personal information outside Australia
if:
(a) the organisation reasonably believes that the recipient of the
information is subject to a statute, binding scheme or contract which
effectively upholds principles for fair information handling that are
substantially similar to these principles; or
(b) the individual concerned consents to the transfer;
(c) the transfer is necessary for the performance of a contract between
the individual concerned and the organisation, or for the implementation
of pre-contractual measures taken in response to the individual's request;
or
(d) the transfer is necessary for the conclusion or performance of
a contract concluded in the interest of the individual concerned between
the organisation and a third party; or
(e) the transfer is for the benefit of the individual concerned, and
(i) it is not practicable to obtain the consent of the subject of
the information to that transfer; and
(ii) if it were practicable to obtain such consent, the subject of
the information would be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the
information which it has transferred will not be collected, held, used
or disclosed by the recipient of the information inconsistently with
these principles.
Sensitive Information
We will limit the collection of highly sensitive information about
you
10.1 An organisation should not collect personal information revealing
racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade-union membership, or details of health or sex life unless:
(b) the collection is required or specifically authorised by law; or
(c) the collection is necessary to prevent or lessen a serious and
imminent threat to the life or health of any individual, where the subject
of the information is physically or legally incapable of giving consent;
or
(d) in the course of the legitimate activities of a non-profit-seeking
body with a racial, ethnic, political, philosophical, religious or trade-union
aim and on condition that the information relates solely to the members
of the body or to individuals who have regular contact with it in connection
with its purposes and that the information is not disclosed without
the consent of the subject of the information; or
(e) the collection is necessary for the establishment, exercise or
defence of a legal claim.
10.2 Paragraph 10.1 does not apply where:
(a) the information is required for the purposes of preventative medicine,
medical diagnosis, the provision of care or treatment or the management
of health-care services, and
(b) is collected
Definitions
Collection
The act of gathering, acquiring, or obtaining personal information from
any source, including third parties, by any means.
Consent
Free and informed agreement with what is being done or proposed. Consent
can be either express or implied. Express consent is given explicitly,
either orally or in writing. Express consent is unequivocal and does not
require any inference on the part of the organisation seeking consent.
Implied consent arises where consent may reasonably be inferred from the
action or inaction of the individual.
Correct
In relation to personal information, to correct means to amend, delete
or complete.
Disclosure
Making personal information available to others outside the organisation,
other than the subject of the information. Disclosure includes publication
of personal information through any medium.
Generally available publication
A magazine, book, newspaper or other publication that is or will be generally
available to members of the public (see definition of personal information).
Identifier
An identifier (usually a number) assigned by an organisation to an individual
to uniquely identify that individual for the purposes of the operations
of the organisation. Does not include an individual's name.
Individual
A living natural person.
Intelligence agency
The Australian Security Intelligence Organisation, the Australian Secret
Intelligence Service, the Defence Intelligence Organisation or the Defence
Signals Directorate.
Law enforcement agency
The Australian Federal Police, the National Crime Authority, or any other
Commonwealth, State or Territory law enforcement agency that is performing
a lawful national security function.
Organisation
An association, business, charitable organisation, club, government body,
institution, professional practice, union, corporation, group of bodies
corporate that are related within the meaning of the Corporations Law,
or any other collective entity. These principles do not apply to any organisation
already subject to the Privacy Act 1988, to the extent that it is covered
by that Act.
Personal information
Information, whether fact, opinion or evaluative material, about an identifiable
individual that is recorded in any form. Personal information does not
include a generally available publication.
Reasonable steps
Such steps (if any) as are, in the circumstances, reasonable.
Subject of the information
In relation to personal information, this term means the individual to
whom the information relates.
Third party
In relation to personal information, a third party is any organisation
or individual other than the organisation holding the information and
the individual who is the subject of the information.
Use
Refers to the treatment and handling of personal information within an
organisation.