Use and disclosure: NPP 2 regulates how organisations can use and disclose an individual’s personal information. A critical distinction is made between use and disclosure undertaken for the primary purpose of collection, and use and disclosure undertaken for some other secondary purpose.
Generally speaking, an organisation must not use or disclose an individual’s personal information for a purpose (secondary purpose) other than the primary purpose of collection, unless the individual has consented or the individual would reasonably expect the organisation to use or disclose their personal information for the secondary purpose.
Data quality: NPP 3 requires that an organisation take all reasonable steps to ensure that all personal information they collect, use or disclose is accurate, complete and up‑to-date.
What are considered to be reasonable steps will vary depending on the circumstances. Factors for SMEs to consider include whether the kinds of personal information collected are likely to change over time, how recently the personal information was collected, and who provided the personal information.
Data security: In NPP 4, an organisation must take reasonable steps to protect all personal information from loss, misuse and unauthorised access, modification or disclosure.
The types of security measures that SMEs could implement to comply with NPP 4 include physical security, such as preventing unauthorised entry to premises and locking filing cabinets that store paper-based personal information; computer and network security, such as preventing unauthorised access to networks, firewalls or secured login websites; communications security, such as protecting communications via data transmission, including email and voice, from interception; and personnel security, such as limiting access to personal information by authorised staff for approved purposes.
Openness: Under NPP 5, an organisation is required to make available on request a privacy policy setting out the organisation’s management of personal information it collects.
The privacy policy must set out whether the organisation is bound by the NPPs or by its own privacy code approved by the Federal Privacy Commissioner; any exemptions under the Act that apply to that organisation; how the organisation collects, uses and discloses personal information; and that the individual can obtain more information upon request concerning the organisation’s handling of personal information.
Access and correction: NPP 6 generally requires that an organisation must allow individuals to access and correct personal information held about them. This access may include inspecting records, taking notes, or the provision of photocopies or printouts.
There are limited situations where an individual can be prevented from accessing their personal information. These situations include if the information would breach another person’s privacy (however, where possible, offending information could be blacked out); if the information is a threat to the life or health of a person; where access would be unlawful; or where access would prejudice an organisation’s negotiations with the individual.
Identifiers: NPP 7 restricts an organisation’s use of government identifiers such as Medicare and tax file numbers.
Anonymity: Under NPP 8, an organisation must allow an individual to remain anonymous where reasonable and practicable.
Transborder data flows: NPP 9 requires that when transferring an individual’s personal information overseas, an organisation must ensure the individual has consented, that the recipient is legally or contractually bound to handle the information in accordance with requirements substantially similar to the NPPs, or that the transfer is for the benefit of the individual and it is impracticable to obtain the individual’s consent, which they would be likely to give.
Bookmark article at:These icons link to social bookmarking sites where readers can share and discover new web pages. powered by moSociable 1.0.1 by www.waltercedric.com
