Information Privacy Principles Short Guide
The 10 Information Privacy Principles (IPPs) are contained in Schedule 1 to the Privacy and Data Protection Act 2014 (PDP Act). This is a short summary of the IPPs and only provides high-level guidance. For detailed guidance, please refer to Guidelines to the Information Privacy Principles or the full text of the IPPs.
IPP 1 – COLLECTION
An organisation can only collect personal information if it is necessary to fulfil one or more of its functions. It must collect information only by lawful and fair means, and not in an unreasonably intrusive way. It must provide notice of the collection, outlining matters such as the purpose of collection and how individuals can access the information. This is usually done by providing a Collection Notice, which should be consistent with an organisation’s Privacy Policy.
IPP 2 – USE AND DISCLOSURE
Personal information can only be used and disclosed for the primary purpose for which it was collected, or for a secondary purpose that would be reasonably expected. It can also be used and disclosed in other limited circumstances, such as with the individual’s consent, for a law enforcement purpose, or to protect the safety of an individual or the public.
IPP 3 – DATA QUALITY
Organisations must keep personal information accurate, complete and up to date. The accuracy of personal information should be verified at the time of collection, and periodically checked as long as it is used and disclosed by the organisation.
IPP 4 – DATA SECURITY
Organisations need to protect the personal information they hold from misuse, loss, unauthorised access, modification or disclosure. An organisation must take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed.
IPP 5 – OPENNESS
Organisations must have clearly expressed policies on the way they manage personal information. Individuals can ask to view an organisation’s Privacy Policy.
IPP 6 – ACCESS AND CORRECTION
Individuals have the right to seek access to their own personal information and to make corrections to it if necessary. An organisation may only refuse in limited circumstances that are detailed in the PDP Act. The right to access and correction under IPP 6 will apply to organisations that are not covered by the Freedom of Information Act 1982 (Vic).
IPP 7 – UNIQUE IDENTIFIERS
A unique identifier is an identifier (usually a number) that is used for the purpose of identifying an individual. Use of unique identifiers is only allowed where an organisation can demonstrate that the assignment is necessary to carry out its functions efficiently. There are also restrictions on how organisations can adopt unique identifiers assigned to individuals by other organisations.
IPP 8 – ANONYMITY
Where lawful and practicable, individuals should have the option of transacting with an organisation without identifying themselves.
IPP 9 – TRANSBORDER DATA FLOWS
If an individual’s personal information travels outside Victoria, the privacy protection should travel with it. Organisations can only transfer personal information outside Victoria in certain circumstances, for example, if the individual consents, or if the recipient of the personal information is subject to a law or binding scheme that is substantially similar to the Victorian IPPs.
IPP 10 – SENSITIVE INFORMATION
The PDP Act places special restrictions on the collection of sensitive information. This includes racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of professional or trade associations or trade unions, sexual preferences or practices, and criminal record. Organisations can only collect sensitive information under certain circumstances.
THE INFORMATION LIFECYCLE
This graphic represents the IPPs throughout the information lifecycle, highlighting the principles that should be considered at each stage, starting with collection.
