Prevention of misuse and loss of personal information
28.15 A central component of data security is protecting personal information from misuse and loss. The importance of measures to protect personal information from misuse and loss recently was illustrated in the United Kingdom, when Her Majesty’s Revenue and Customs lost in the post the personal information of 25 million Britons, including their dates of …
Publications
Read moreDisclosure of personal information to third parties
Background28.41 Unlike NPP 4, IPP 4 expressly obliges a record-keeper to take reasonable steps to prevent unauthorised use or disclosure of personal information contained in a record where the record is given ‘to a person in connection with the provision of a service to the record-keeper’.[45] In addition, s 95B of the Privacy Act requires …
Publications
Read moreInformation destruction and retention requirements
Background28.53 Sometimes privacy law requires an agency or organisation that has collected personal information to destroy, delete or de-identify that information after a set period of time or in certain circumstances. This requirement may arise where, for example, an organisation has collected personal information for the specific purpose of identifying an individual. When the identification …
Publications
Read moreTowards a single data security principle
28.7 As noted above, agencies and organisations are subject to data security requirements under the IPPs and NPPs respectively. These principles, however, differ in two main respects. First, agencies are obliged to take steps to prevent the unauthorised use or disclosure of personal information that has been disclosed to a third party in connection with …
Publications
Read moreApplication of the ‘Data Quality’ principle to agencies
27.7 As is noted above, agencies presently are not subject to a discrete ‘Data Quality’ principle. In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC proposed that a single ‘Data Quality’ principle should apply to both agencies and organisations.[6]27.8 The proposal was supported almost unanimously by stakeholders.[7] The Public Interest Advocacy …
Publications
Read moreScope of the ‘Data Quality’ principle
Background27.11 The scope of the data quality requirements set out in the IPPs and the NPPs varies in a number of respects. First, the application of the IPPs and the NPPs to information outside the possession or control of an agency or organisation differs. Pursuant to NPP 3, organisations must take steps to ensure the …
Publications
Read moreBalancing data quality and other privacy interests
27.30 In its review of the private sector provisions of the Privacy Act (the OPC Review), the OPC noted that some organisations consider that their obligations under NPP 3 to keep personal information up-to-date and accurate are absolute, and could be used to justify intruding upon an individual’s privacy.[29] In other words, compliance with the …
Publications
Read moreCurrent coverage by IPPs and NPPs
26.9 The current rules in the Privacy Act on direct marketing differ between agencies and organisations. The Information Privacy Principles (IPPs) do not contain any provisions dealing explicitly with direct marketing by agencies. In contrast, the National Privacy Principles (NPPs) deal with the issue of direct marketing by organisations as part of the use and …
Publications
Read moreApplication of direct marketing principle to agencies
26.34 Before considering the content of the direct marketing principle, first it is necessary to consider what entities should be bound by the principle. Currently, organisations must comply with the direct marketing provisions in NPP 2.1(c) where direct marketing does not fall within one of the other limbs of the use and disclosure principle in …
Publications
Read moreRelationship between privacy principles and other legislation
Background26.49 This part of the chapter considers how the ‘Direct Marketing’ principle should relate to sectoral legislation that deals with particular types or aspects of direct marketing. For example, some aspects of telemarketing are regulated by the Do Not Call Register Act 2006 (Cth) and some aspects of email marketing are covered by the Spam …
Publications
Read more