The 10 National Privacy Principals (NPPs) are the fundamental rules in the new act about how organisations should handle personal information.
In summary, the 10 NPPs require that:
COLLECTION of personal information must be fair, lawful and not intrusive. A person must be told the collecting organisation’s name, the purpose for collecting the information, and that they can get access to their information.
USE & DISCLOSURE of personal information must only be for the purpose that it was intended for (or for strongly related secondary purposes), or for specified direct marketing, public interest, law enforcement, or public safety purposes. Opportunities must be provided for individuals to opt out of some uses of information.
DATA QUALITY must be good – accurate, complete and up-to-date when collected and used.
DATA SECURITY must be safe—from misuse, loss, unauthorised access.
OPENNESS must be provided –organisations must have a policy document available to consumers that outlines their information handling practices. On request, organisations must take steps to inform individuals what sort of information it holds, for what purposes and how it collects, holds, uses and discloses that information.
ACCESS & CORRECTION of personal information must be made available on request by the individual.
IDENTIFIERS that have been assigned by a Commonwealth government “agency” can generally not be adopted, used, or disclosed.
ANONYMITY should be provided by organisations whenever it is lawful and practicable to do so.
TRANSBORDER DATA FLOWS are only allowed where the foreign recipient has appropriate protection.
SENSITIVE INFORMATION must not be collected unless the individual has consented, or in some special circumstances (such as public health and safety.)