Fact Sheet - Information Protection Principles (IPPs)
Read the document below or download it here Fact sheet - Information Protection Principles (IPPs), updated May 2026
| Who is this information for? | This fact sheet has been developed for NSW agencies and members of the public. |
|---|---|
| Why is this information important to them? | This fact sheet will assist agencies and the public to understand the information protection principles (IPPs) that govern the protection of personal information under the NSW Privacy and Personal Information Protection Act 1998 (PPIP Act). |
Section 4 of the Privacy and Personal Information Protection Act 1998 (PPIP Act) defines ‘personal information’ as:
Information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.[1]
For information to be personal information, it does not necessarily need to be written down and nor does it need to be of a particular type or category such as “sensitive” or “important” information.
The definition of personal information is broad and includes information where an individual can be directly identified from the information or whose identity can be reasonability ascertained by reference to other information.
Under the PPIP Act, NSW public sector agencies, statutory bodies, universities and local councils must comply with specific requirements when they collect, store, use or disclose personal information. These requirements are set out in the 12 Information Protection Principles (IPPs) in the PPIP Act. Under the PPIP Act, exemptions may apply in some instances to how the IPPs will apply.
Information about the 12 IPP’s is summarised below. In addition to the 12 IPPs, there are 15 health privacy principles (HPPs) which apply under the Health Records and Information Privacy Act 2002 (HRIP Act) which set out the requirements for health information.[2]
Agencies should consult the full text of the legislation for further information and/or contact the Privacy Contact Officer in their agency for further advice about the IPPs or HPPs. Members of the public can also contact the Privacy Contact Officer at the relevant agency or the Information and Privacy Commissioner (IPC) for further advice.
Collection
IPP 1 – Lawful
An agency must only collect personal information for a lawful purpose, which is directly related to the agency’s function or activities and is reasonably necessary for that purpose.
An agency must not collect personal information by any unlawful means.
IPP 2 – Direct
In collecting personal information, an agency must only collect personal information directly from the person concerned, unless they have authorised collection from someone else, or if the person is under the age of 16 and the information has been provided by a parent or guardian.
IPP 3 – Open
An agency must take reasonable steps to inform the person they are collecting the information from why they are collecting it, what they will do with it and who else might see it. The agency must also tell the person how they can view and correct their personal information, if the information is required by law or voluntary, and any consequences that may apply if they decide not to provide their information.
IPP 4 – Relevant
An agency must take reasonable steps to ensure that the personal information collected is relevant, accurate, complete, up-to-date and not excessive and that the collection does not unreasonably intrude into the personal affairs of the individual.
Storage
IPP 5 – Secure
An agency must store personal information securely, keep it no longer than necessary for the purposes it was lawfully collected and disposes of it appropriately. The personal information should also be protected from loss, unauthorised access, use, modification or disclosure and all.
Access and Accuracy
IPP 6 – Transparent
An agency must take reasonable steps to explain to the person what personal information about them is being stored, why it is being stored and any rights they have to access it.
IPP 7 – Accessible
An agency must at the request of the individual to whom the information relates allow them to access their personal information without excessive delay or expense.
IPP 8 – Alteration
An agency must at the request of the individual to whom the information relates, allow them unless an exception applies, to make appropriate amendments either by way of update, correction, or amendment to their personal information where necessary to ensure that the personal information is accurate, relevant, up to date, complete and not misleading when considering the purpose for which it is to be used.
Use
IPP 9 – Accurate
An agency must take reasonable steps to ensure that the personal information is relevant, accurate, up to date and complete before using it.
IPP 10 – Limited
An agency must only use personal information for the purpose it was collected unless the person has given their consent, or the purpose of use is directly related to the purpose for which it was collected, or to prevent or lessen a serious or imminent threat to any person’s health or safety.
Disclosure
IPP 11 – Restricted
An agency can only disclose personal information in limited circumstances with a person’s consent or if the person was told at the time when the personal information was collected it that it would be disclosed. An agency can also disclose personal information if disclosure is directly related to the purpose for which the information was collected and there is no reason to believe the person would object, or the person has been made aware that information of that kind is usually disclosed, or if disclosure is necessary to prevent a serious and imminent threat to any person’s health or safety.
IPP 12 – Safeguarded
An agency cannot disclose sensitive personal information without a person’s consent for example, information about ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership. It can only disclose sensitive personal information without consent in order to prevent a serious and imminent threat to any person’s health or safety.
Other useful resources
Other resources that may be useful on this topic include:
For more information
Contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au
NOTE: The information in this fact sheet is to be used as a guide only. Legal advice should be sought in relation to individual circumstances.
