The ten National Privacy Principles (NPPs) contained in schedule 3 of the Privacy Act 1988 (Privacy Act) regulate how large businesses, all health service providers and some small businesses and non-government organisations handle individuals’ personal information.
The NPPs cover the collection, use, disclosure and storage of personal information. They also allow individuals to access that information and have it corrected if it is wrong.
The NPPs generally apply to private sector organisations with an annual turnover of $3 million or more. In addition, in some instances the NPPs will apply to private sector organisations with an annual turnover of less than $3 million. More information is available on the Privacy Topics — Business page.
Below is a summary of the NPPs. For more detail, see the full text of the NPPs. Additional information and guidance on the interpretation of the NPPs can be found in the Guidelines to the National Privacy Principles.
The NPPs will be replaced by the Australian Privacy Principles (APPs) on 12 March 2014. More information on the APPs can be found on the law reform page.
NPP 1: collection
Describes what an organisation should do when collecting personal information, including what they can collect, collecting from third parties and, generally, what they should tell individuals about the collection.
NPP 2: use and disclosure
Outlines how organisations may use and disclose individuals' personal information. If certain conditions are met, an organisation does not always need an individual's consent to use and disclose personal information. There are also rules about direct marketing.
NPPs 3–4: information quality and security
An organisation must take steps to ensure the personal information it holds is accurate and up-to-date, and is kept secure from unauthorised use or access.
NPP 5: openness
An organisation must have a policy on how it manages personal information, and make it available to anyone who asks for it.
NPP 6: access and correction
Gives individuals a general right of access to their personal information, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.
NPP 7: identifiers
Generally prevents an organisation from adopting an Australian Government identifier for an individual (eg Medicare numbers) as its own.
NPP 8: anonymity
Where possible, organisations must give individuals the opportunity to do business with them without the individual having to identify themselves.
NPP 9: transborder data flows
Outlines how organisations should protect personal information that they transfer outside Australia.
NPP 10: sensitive information
Sensitive information includes information relating to health, racial or ethnic background, or criminal records. Higher standards apply to the handling of sensitive information.