Privacy and personal information
If your agency collects personal information, you need to keep it safe and treat it with care.
What you need to know
- The 13 Information Privacy Principles (IPPs).
- Inform users in easy-to-understand language how you will use, share, protect, and provide access to their personal information.
- Enable people to understand what’s happening with their information and what choices they have.
- When in doubt, check with your privacy officer.
The Information Privacy Principles
Under the Privacy Act 2020, all agencies (government departments, companies, small businesses, social clubs and other types of organisations) must follow a set of rules when handling personal information. Personal information is any information which is about an identifiable individual.
The Act has 13 information privacy principles which set out how your agency should handle personal information.
The first four principles — 1 to 4 — govern how you can collect personal information. This includes when you can collect it, where you can collect it from, and how you can collect it.
Principles 5 through 7 govern how you store personal information. People have a right to access and seek correction to their personal information.
The rest of the principles govern how you use and share personal information. Make sure information is accurate, and you use and share it appropriately.
You have to tell people:
- what information is being collected
- why it is being collected
- how it will be used
- how it will be kept secure
- about their right to review and correct it.
A person’s authorisation is needed for any other use or disclosure of the information. This also applies to information that most people are willing to share with others, such as their contact details.
The Act requires all agencies to have at least 1 person who’s familiar with the agency’s privacy obligations and fulfils the role of a privacy officer.
Mandatory breach reporting
You also must report privacy breaches that reach the threshold of serious harm.
You can use the Office of the Privacy Commissioner’s online tool NotifyUs to help you work out if a breach is notifiable.
If your agency has a privacy breach that is likely to cause anyone serious harm, you are legally required to notify the Commissioner and any affected persons as soon as practicable.
Managing personal information
Those who collect, use, share and store data and information are stewards and caretakers of that information. It is provided for a specific purpose and should not be used for other purposes or disclosed to others without the explicit authorisation of the person.
Some personal information may be more sensitive and require additional protections. Systems dealing with sensitive information require higher levels of protection and assurance. You may decide that based on the context in which personal information is supplied that seemingly low sensitivity information needs higher levels of protection.
For public sector agencies, personal information should generally be classified as IN CONFIDENCE where its release would adversely affect the privacy of the person. However, information should be assessed on a case-by-case basis as this classification may not be appropriate in all circumstances.
Private sector agencies may choose to adopt government classification as a way of ensuring appropriate protection of personal information.
Guidance from the Office of the Privacy Commissioner website:
Guidance, advice and tools from the Government Chief Privacy Officer: