The 12 Information Protection Principles (IPPs) are your key to the Privacy and Personal Information Protection Act 1998 (PPIP Act).
There are legal obligations which NSW public sector agencies, statutory bodies, universities and local councils must abide by when they collect, store, use or disclose personal information. As exemptions may apply in some instances, it is therefore suggested you contact the Privacy Contact Officer in your agency or our office for further advice.
Only collect personal information for a lawful purpose, which is directly related to the agency’s function or activities and necessary for that purpose.
Only collect personal information directly from the person concerned, unless they have authorised collection from someone else, or if the person is under the age of 16 and the information has been provided by a parent or guardian.
Inform the person you are collecting the information from why you are collecting it, what you will do with it and who else might see it. Tell the person how they can view and correct their personal information, if the information is required by law or voluntary, and any consequences that may apply if they decide not to provide their information.
Ensure that the personal information is relevant, accurate, complete, up-to-date and not excessive and that the collection does not unreasonably intrude into the personal affairs of the individual.
Store personal information securely, keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use, modification or disclosure.
Access and Accuracy
Explain to the person what personal information about them is being stored, why it is being used and any rights they have to access it.
Allow people to access their personal information without excessive delay or expense.
Allow people to update, correct or amend their personal information where necessary.
Make sure that the personal information is relevant, accurate, up to date and complete before using it.
Only use personal information for the purpose it was collected unless the person has given their consent, or the purpose of use is directly related to the purpose for which it was collected, or to prevent or lessen a serious or imminent threat to any person’s health or safety.
Only disclose personal information with a person’s consent or if the person was told at the time that it would be disclosed, if disclosure is directly related to the purpose for which the information was collected and there is no reason to believe the person would object, or the person has been made aware that information of that kind is usually disclosed, or if disclosure is necessary to prevent a serious and imminent threat to any person’s health or safety.
An agency cannot disclose sensitive personal information without a person’s consent, for example, information about ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or tradeunion membership. It can only disclose sensitive information without consent in order to deal with a serious and imminent threat to any person’s health or safety.
Full text of the Information Protection Principles, can be seen in the relevant sections of the Privacy and Personal Information Protection Act, 1998 available on the NSW Consolidated Acts page: www.austlii.edu.au.
For more information
NOTE: The information in this fact sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.
Full text of the Information Protection Principles can be found in the relevant sections of the Privacy and Personal Information Protection Act 1998 on the NSW Consolidated Acts page: www.austlii.edu.au.
Page updated: May 2017.