LSC Logo
Legal Service Commission of South Australia
LSC Home Sitemap Career Contact Us About LSC Print this Page
Law Handbook > ACCESS TO NON-GOVERNMENT INFORMATION > PRIVACY ACT

National Privacy Principles

NPP 1

The private sector provisions of the Privacy Act centre around 10 National Privacy Principles (the NPPs) that set out how private sector organisations should collect, use, keep secure and disclose personal information. The principles give individuals a right to know what information an organisation holds about them and a right to correct that information if it is wrong.

There are broad similarities between the IPP's (i.e. the standards the Federal government must follow) and the NPP's, however in general the NPP's impose less onerous obligations than the IPP's.

The NPP's relate to collection, use, disclosure, quality, security, openness, access to and correction of personal information, including sensitive information and health information. There are also principles on the use of government identifiers, the right to remain anonymous, the flow of data across borders.


NPP 1

Collection

NPP 1 provides that an organisation must not collect personal information unless the information is necessary for one or more of its functions or activities. The information must be collected by lawful and fair means and not in an unreasonably intrusive way. The collector must take reasonable steps to ensure the individual is aware of things such as the identity of the organisation, the purposes for which the information is collected, to whom the information is usually disclosed and any law which requires the collection of the information, unless making the individual aware would pose a serious threat to the life or health of any individual. If it is reasonable and practicable to do so, an organisation must collect personal information about an individual from that individual.

NPP 2 Use and disclosure

An organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection. There are exemptions to this principle. These include when the secondary purpose is related, or in the case of sensitive information, directly related to the primary purpose and the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; if the individual has consented to the use or disclosure; in certain circumstances for direct marketing or for health research; if there is threat to an individual's life or the public's health or safety; to report unlawful activity to relevant authorities; it is required or authorised by or under law and for the prevention and detection of criminal offence, enforcement of particular laws and protection of the public revenue.

The organisation must make a written note of any use or disclosure or personal information. There are special provisions which relate to the disclosure of health information.

NPP 3 Data quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up‑to‑date.

NPP 4 Data security

An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. Personal information must be destroyed or de-identified if it is no longer needed.

NPP 5 Openness

An organisation must have and make available a policy document on its management of personal information.

NPP 6 Access and correction

An individual must have access to personal information held by an organisation about them. There are exemptions to this principle. These include if access would pose a serious and imminent threat to the life or health of any individual; it would have an unreasonable impact upon the privacy of other individuals; the request is frivolous or vexatious; there are existing or anticipated legal proceedings between the organisation and the individual; providing access would be unlawful; denying access is required or authorised by or under law; providing access may prejudice an investigation of possible unlawful activity, the prevention or detection of a crime or the enforcement of laws, the protection of public revenue or it may damage the security of Australia.

If an individual shows that the information held is not accurate, complete or up to date then the organisation must take steps to remedy this. An organisation must provide reasons for denial of access or a refusal to correct personal information.

NPP 7 Identifiers

NPP 7 prohibits the use by organisations of government identifiers such as the tax file number of a person to identify a person or information.

NPP 8 Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation.

NPP 9 Transborder data flows

NPP 9 regulates the transfer of personal information about an individual to someone in a foreign country.

NPP 10 Sensitive information

NPP 10 prohibits the collection of sensitive information about an individual except in certain circumstances, such as when the individual has consented or the collection is required by law. There are specific provisions in relation to the collection of health information.


PrevPrev  UpUp  NextNext
Who is covered? 
 Government Contractors


Browse Law Handbook Browse Law Handbook
Search the law handbook Search the handbook
Produce a printable version of this page Print this page
Acts and Legislation Acts and Legislation
Glossary of legal terms Glossary
Produce a printable version of this entire section Print whole section
National Privacy Principles  :  Last Revised: Thu Nov 10th 2005



Copyright ©2008 Government of South Australia - All Rights Reserved