Content of privacy principle dealing with identifiers
Use and disclosure for the purpose of identity verification30.65 An issue that arose in response to DP 72 was whether the proposed ‘Identifiers’ principle would prevent an agency or organisation from using or disclosing an identifier for the purpose of identity verification.[89] The AGD submitted that:Identifiers are critical for the operation of identity management and …
Publications
Read moreMulti-purpose identifiers
30.105 This section discusses identifiers assigned to individuals by governments for use by multiple government agencies and organisations (multi-purpose identifiers). The section commences by providing an overview of concerns that have been expressed about the impact on privacy of multi-purpose identifiers. It then examines the history of identification schemes in Australia before discussing the recently …
Publications
Read moreAnnotation of disputed information
29.133 Where the correctness of personal information is the subject of dispute, the IPPs and the NPPs provide individuals with the right to have the information annotated. 29.134 The IPPs and NPPs, however, deal with this issue slightly differently. IPP 7 states that, in the event that there is a disagreement about correction, the record-keeper …
Publications
Read moreProcedural requirements for access and correction requests
29.139 Where an individual exercises his or her right to obtain access to, and correction of, personal information, the agency or organisation that holds the information must comply with a number of procedural requirements. For organisations, these requirements are set out in NPP 6. NPP 6.4, for example, limits the charge that an organisation can …
Publications
Read moreAccess to personal information: exceptions
29.37 The IPPs and the NPPs place obligations on agencies and organisations to provide individuals with access to personal information that they hold about the individuals, unless a specific exception applies. There are a number of differences, however, between these exceptions. Questions therefore arise about:whether the ‘Access and Correction’ principle in the model UPPs should …
Publications
Read moreAccess to personal information: intermediaries
Background29.65 NPP 6.3 currently requires an organisation that has lawfully denied an individual access to his or her personal information to considerproviding access to the information to a mutually agreed third party intermediary. The object behind this provision was explained in the Explanatory Memorandum and other material accompanying its introduction:[NPP 6.3] is not intended to …
Publications
Read moreCorrection of personal information
Background29.83 Where an agency or organisation holds incorrect personal information about an individual, in most circumstances the individual has the right to have this information corrected.29.84 Under IPP 7.1, an agency that has possession or control of a record containing personal information must take reasonable steps by way of making appropriate corrections, deletions and additions …
Publications
Read morePrevention of misuse and loss of personal information
28.15 A central component of data security is protecting personal information from misuse and loss. The importance of measures to protect personal information from misuse and loss recently was illustrated in the United Kingdom, when Her Majesty’s Revenue and Customs lost in the post the personal information of 25 million Britons, including their dates of …
Publications
Read moreDisclosure of personal information to third parties
Background28.41 Unlike NPP 4, IPP 4 expressly obliges a record-keeper to take reasonable steps to prevent unauthorised use or disclosure of personal information contained in a record where the record is given ‘to a person in connection with the provision of a service to the record-keeper’.[45] In addition, s 95B of the Privacy Act requires …
Publications
Read moreInformation destruction and retention requirements
Background28.53 Sometimes privacy law requires an agency or organisation that has collected personal information to destroy, delete or de-identify that information after a set period of time or in certain circumstances. This requirement may arise where, for example, an organisation has collected personal information for the specific purpose of identifying an individual. When the identification …
Publications
Read more