Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

NPPs - Plain English Summary


These Guidelines summary have been archived as they relate to pre-12 March 2014 law.

Below is a plain English summary of the National Privacy Principles (NPPs).

There are ten NPPs that regulate how private sector organisations manage personal information.  They cover the collection, use and disclosure, and secure management of personal information.  They also allow individuals to access that information and have it corrected if it is wrong.

If you want more detail see the full text of the NPPs and the NPP Guidelines.

NPP 1: collection

Describes what an organisation should do when collecting personal information, including what they can collect, collecting from third parties and, generally, what they should tell individuals about the collection.

NPP 2: use and disclosure

Outlines how organisations may use and disclose individuals' personal information. If certain conditions are met, an organisation does not always need an individual's consent to use and disclose personal information.  There are rules about direct marketing.

NPPs 3 & 4: information quality and security

An organisation must take steps to ensure the personal information it holds is accurate and up-to-date, and is kept secure from unauthorised use or access.

NPP 5: openness

An organisation must have a policy on how it manages personal information, and make it available to anyone who asks for it.

NPP 6: access and correction

Gives individuals a general right of access to their personal information, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.

NPP 7: identifiers

Generally prevents an organisation from adopting an Australian Government identifier for an individual (e.g. Medicare numbers) as its own.

NPP 8: anonymity

Where possible, organisations must give individuals the opportunity to do business with them without the individual having to identify themselves.

NPP 9: transborder data flows

Outlines how organisations should protect personal information that they transfer outside Australia.

NPP 10: sensitive information

Sensitive information includes information such as health, racial or ethnic background, or criminal record.  Higher standards apply to the handling of sensitive information.