Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Privacy for agencies

Agencies - that is almost everyone holding personal information about others - have to comply with the Privacy Act.

This isn't as hard as you might think. The Act's 12 information privacy principles model the way in which good businesses handle personal information and is structured around these 12 information privacy principles.

Information Privacy Principles

These principles can be summarised as:

  1. Only collect personal information if you really need it
  2. Get it straight from the people concerned where possible
  3. Tell them what you're going to do with it
  4. Collect it legally and fairly
  5. Take care of it once you've got it
  6. People can see their personal information if they want to
  7. They can correct it if it's wrong
  8. Make sure personal information is correct before you use it
  9. Get rid of it when you're done with it
  10. Use it for the purpose you got it
  11. Only disclose it if you have a good reason
  12. Only assign unique identifiers where permitted.

Together, these principles form a 'life-cycle' for personal information.

Agencies must first decide what information they need, and where and how they are going to get it.  They then need to ensure they hold the information with appropriate protections and that they comply with any access or correction requests they receive.  Finally, personal information should be used and disclosed with care and kept securely, and in line with the purposes for which the information was collected.

For a summary of the health information privacy rules, view this page.

Getting started

The Getting started section will help you to plan how you will comply with the information privacy principles.

Other statutes

The Privacy Act can be "trumped" by other legislation, if that legislation says something different to the standards set out in the privacy principles.

For example, if another statutory provision allows you to disclose information in the circumstances, you won't be in breach of the Privacy Act by disclosing the information regardless of what principle 11 says.

Having a privacy officer

The Act requires all agencies (including businesses) to have a privacy officer.

It's too hard for everyone in an agency to know all the privacy principles and what other law might apply. So have a privacy officer - a person who is responsible for finding out what to do, and giving advice to other members of staff.

Let us know who your privacy officer is. We can provide training, or we can give the person information about the Act. We can also put them in touch with other privacy officers in your area.

The only thing we can't do is give you direct legal advice on individual problems, just in case that problem ends up as a complaint to the Commissioner.

Our enquiries line

Don't forget, if you need general information about your obligations under the Act, please contact us.