Information protection principles for the public
Read the document below or download it here Fact sheet - Information Protection Principles for the public, updated April 2023
The 12 Information Protection Principles (IPPs) are your key to the Privacy and Personal Information Protection Act 1998 (PPIP Act)
These are legal obligations which NSW public sector agencies, statutory bodies, universities and local councils must abide by when they collect, store, use or disclose personal information.
As exemptions may apply in certain circumstances, it is suggested that you contact the Privacy Contact Officer at the agency or the Information and Privacy Commission NSW (IPC) for further advice.
An agency must only collect personal information for a lawful purpose. It must be directly related to the agency’s functions or activities and necessary for that purpose. An agency must not collect personal information by any unlawful means.
An agency must only collect personal information directly from you, unless you have authorised collection from someone else, or if you are under the age of 16 and the information has been provided by a parent or guardian.
An agency must inform you that the information is being collected, the reason or purpose for why it is being collected, and who will be storing and using it. You must also be told how you can access and correct your personal information, if the information is required by law or is voluntary, and any consequences that may apply if you decide not to provide it.
An agency must ensure that your personal information is relevant, accurate, complete, up to date and not excessive. The collection of the information should not unreasonably intrude into your personal affairs.
An agency must store personal information securely, keep it no longer than necessary and dispose of it appropriately. The personal information should also be protected from loss, unauthorised access, use, modification, disclosure and all other misuse.
Access and accuracy
An agency must provide you with details regarding the personal information they are storing, why they are storing it and what rights you have to access it.
An agency must allow you to access your personal information without excessive delay or expense.
An agency must, at your request, update, correct, delete, or amend your personal information where necessary, unless an exception applies. This will ensure that your personal information is accurate, relevant, up to date, complete and not misleading, when considering the purpose for which it is to be used.
An agency must ensure that your personal information is relevant, accurate, up to date, complete and not misleading before using it.
An agency can only use your personal information for the purpose for which it was collected unless you have given consent, or the use is directly related to a purpose that you would expect, or to prevent or lessen a serious or imminent threat to any person’s health or safety.
An agency can only disclose your information in limited circumstances if you have consented or if you were told at the time they collected it that they would do so. An agency can also disclose your information if it is for a directly related purpose and it can be reasonably assumed that you would not object, if you have been made aware that information of that kind is usually disclosed, or if disclosure is necessary to prevent a serious and imminent threat to any person’s health or safety.
An agency cannot disclose your sensitive personal information without your consent, for example, information about ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership. It can only disclose your sensitive personal information without consent in order to deal with a serious and imminent threat to any person’s health or safety.
For more information
Contact the Information and Privacy Commission NSW (IPC):
NOTE: This is a guide only. Legal advice should be sought in relation to individual circumstances.