Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy fact sheet 1: Information Privacy Principles under the Privacy Act 1988

Note: The information below only applies to acts and practices that occured prior to 12 March 2014. The IPPs were replaced by the Australian Privacy Principles (APPs) on 12 March 2014. More information on the APPs can be found on the APPs page.

pdfPrivacy fact sheet 11.01 MB

This fact sheet provides the text of the 11 Information Privacy Principlesas extracted from section 14 of the Privacy Act 1988 (Cth). These principles apply to Australian and ACT government agencies. A separate set of the principles, the National Privacy Principles, apply to private sector organisations.

Principle 1 — Manner and purpose of collection of personal information

  1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:
    1. the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and
    2. the collection of the information is necessary for or directly related to that purpose.
  2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2 — Solicitation of personal information from individual concerned

Where:

  1. a collector collects personal information for inclusion in a record or in a generally available publication; and
  2. the information is solicited by the collector from the individual concerned;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

  1. the purpose for which the information is being collected;
  2. if the collection of the information is authorised or required by or under law – the fact that the collection of the information is so authorised or required; and
  3. any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

Principle 3 — Solicitation of personal information generally

Where:

  1. a collector collects personal information for inclusion in a record or in a generally available publication; and
  2. the information is solicited by the collector:

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

  1. the information collected is relevant to that purpose and is up to date and complete; and
  2. the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4 — Storage and security of personal information

A record keeper who has possession or control of a record that contains personal information shall ensure:

  1. that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
  2. that if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the power of the record keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5 — Information relating to records kept by record keeper

  1. A record keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
    1. whether the record keeper has possession or control of any records that contain personal information; and
    2. if the record keeper has possession or control of a record that contains such information:
      1. the nature of that information;
      2. the main purposes for which that information is used; and
      3. the steps that the person should take if the person wishes to obtain access to the record.
  2. A record keeper is not required under clause 1 of this Principle to give a person information if the record keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.
  3. A record keeper shall maintain a record setting out:
    1. the nature of the records of personal information kept by or on behalf of the record keeper;
    2. the purpose for which each type of record is kept;
    3. the classes of individuals about whom records are kept;
    4. the period for which each type of record is kept;
    5. the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
    6. the steps that should be taken by persons wishing to obtain access to that information.
  4. A record keeper shall:
    1. make the record maintained under clause 3 of this Principle available for inspection by members of the public; and
    2. give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6 — Access to records containing personal information

Where a record keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7 — Alteration of records containing personal information

  1. A record keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:
    1. is accurate; and
    2. is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.
  2. The obligation imposed on a record keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.
  3. Where:
    1. the record keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and
    2. no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the record keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8 — Record keeper to check accuracy etc of personal information before use

A record keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9 — Personal information to be used only for relevant purposes

A record keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10 — Limits on use of personal information

  1. A record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:
    1. the individual concerned has consented to use of the information for that other purpose;
    2. the record keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;
    3. use of the information for that other purpose is required or authorised by or under law;
    4. use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or
    5. the purpose for which the information is used is directly related to the purpose for which the information was obtained.
  2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record keeper shall include in the record containing that information a note of that use.

Principle 11 — Limits on disclosure of personal information

  1. A record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:
    1. the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;
    2. the individual concerned has consented to the disclosure;
    3. the record keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;
    4. the disclosure is required or authorised by or under law; or
    5. the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.
  2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record keeper shall include in the record containing that information a note of the disclosure.
  3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

The information provided in this fact sheet is of a general nature. It is not a substitute for legal advice.

For further information

telephone 1300 363 992
write to: GPO Box 5218, Sydney NSW 2001
or visit our website at www.oaic.gov.au