Circumstances in which notification obligations arise
23.35 The specific content of notification obligations to be imposed on agencies and organisations is discussed separately below. In general terms these address the fact, and purposes, of collection; usual disclosure practices; and an individual’s rights relating to his or her personal information.23.36 An initial question that arises, however, is in what circumstances should an …
Publications
Read moreCollection of sensitive information
Current coverage by IPPs and NPPs22.9 The IPPs do not regulate the collection of sensitive information separately from other forms of personal information. In contrast, NPP 10 regulates separately and specifically the collection of sensitive information. It prohibits the collection of such information, except in certain identified circumstances. NPP 10.1 provides that sensitive information can …
Publications
Read moreRegulation of other aspects of handling sensitive information
Background22.76 As noted above, the IPPs do not impose special restrictions on the collection of sensitive information; nor do they distinguish between the treatment of sensitive information and non-sensitive personal information at other stages of the information cycle such as use, disclosure, access and disposal. Guidelines issued by the OPC acknowledge expressly that where sensitive …
Publications
Read moreCollection from the individual
Background21.11 NPP 1 obliges an organisation, where reasonable and practicable, to collect personal information about an individual only from that individual. The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 acknowledges that there will be situations in which it would not be ‘reasonable and practicable’ to collect directly from an individual. It …
Publications
Read moreUnsolicited personal information
Background21.36 Agencies and organisations sometimes receive unsolicited personal information. This occurs where personal information is received by an agency or organisation that has taken no active steps to collect that information. This is increasingly common in the digital age where information can be transmitted easily and quickly.21.37 Sometimes unsolicited personal information received by an agency …
Publications
Read moreOther aspects of the ‘Collection’ principle
Location of notification requirements21.58 As noted above, the collection principles in both the NPPs and IPPs provide that, in certain circumstances, agencies and organisations must ensure that an individual whose personal information has been, or is to be, collected, is aware of a number of matters. One way of ensuring awareness is through notification. A …
Publications
Read moreExpanding the anonymity principle
Expansion of anonymity principle to agencies20.6 In accordance with NPP 8, wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.[5] The Information Privacy Principles (IPPs), however, do not contain a comparable anonymity principle. Neither is such a provision set out in the Organisation …
Publications
Read moreApplication of the ‘Anonymity and Pseudonymity’ principle
‘Lawful and practicable’20.28 The requirement to provide the option for anonymity or pseudonymity is not absolute. In particular, under NPP 8, organisations are required to provide individuals with the option of not identifying themselves only where it is ‘lawful and practicable’. NPP 8 is also limited to situations where individuals are ‘entering into transactions’ with …
Publications
Read moreBackground
Role of consent in the privacy principles19.3 As stated above, consent is only relevant to the application of a some privacy principles. Consent is either framed as an exception to a general prohibition against personal information being handled in a particular way or as a basis to authorise the handling of personal information in a …
Publications
Read moreA separate privacy principle dealing with consent?
Background19.69 As noted above, consent is not a discrete privacy principle, although it plays a key role in the application of other privacy principles—namely those regulating the collection of sensitive information, use and disclosure, and cross-border data flows. While many jurisdictions do not deal separately with the concept of consent, some, like Canada and Germany,[96] …
Publications
Read more