Publication date: September 2014

The Territory Privacy Principles (TPPs) commenced on 1 September 2014 and apply to ACT public sector agencies and contracted service providers (including subcontractors), but only to the extent they perform obligations under a government contract. The text of the TPPs comes from Schedule 1 of the Information Privacy Act 2014 (ACT). For the latest version of this Act visit the ACT Legislation Register website.

The TPPs are similar to the Australian Privacy Principles (Commonwealth APPs) in Schedule 1 of the Privacy Act 1988 (Commonwealth Act) that apply to organisations, and Australian Government (and Norfolk Island Government) agencies. Some of the Commonwealth APPs are not relevant to the regulation of information privacy by ACT public sector agencies and have not been included in the TPPs. If the Commonwealth APPs has a provision that is not included in the TPPs, the relevant TPP is numbered to maintain consistency between provisions common to both the Commonwealth APPs and the TPPs; a note also appears under the relevant TPP describing the omitted provision of the Commonwealth APPs.

The TPPs also contain minor textual differences to the Commonwealth APPs which do not change the intended meaning of the principles. For example, the phrase ‘the entity must take such steps (if any) as are reasonable in the circumstances’ is used in the Commonwealth APPs while a similar phrase, ‘the agency must take reasonable steps’, is used in the TPPs.[1] While expressed differently, both requirements could be satisfied by taking no steps if that is reasonable in the particular circumstances.

Part 1.1 Consideration of personal information privacy

TPP 1 — open and transparent management of personal information

1.1 The object of this TPP is to ensure that public sector agencies manage personal information in an open and transparent way.

Compliance with the TPPs etc

1.2 A public sector agency must take reasonable steps to implement practices, procedures and systems relating to the agency's functions or activities that—

  1. will ensure that the agency complies with the TPPs and any TPP code that binds the agency; and
  2. will enable the agency to deal with inquiries or complaints from individuals about the agency's compliance with the TPPs or a code.

TPP privacy policy

1.3 A public sector agency must have a clearly expressed and up-to-date policy (the TPP privacy policy) about the management of personal information by the agency.

1.4 Without limiting TPP 1.3, the TPP privacy policy of the public sector agency must contain the following information:

  1. the kinds of personal information that the agency collects and holds;
  2. how the agency collects and holds personal information;
  3. the purposes for which the agency collects, holds, uses and discloses personal information;
  4. how an individual may access personal information about the individual that is held by the agency and seek the correction of the information;
  5. how an individual may complain about a breach of the TPPs, or any TPP code that binds the agency, and how the agency will deal with the complaint;
  6. whether the agency is likely to disclose personal information to overseas recipients;
  7. if the agency is likely to disclose personal information to overseas recipients—the countries in which the recipients are likely to be located if it is practicable to state those countries in the policy.

Availability of TPP privacy policy etc

1.5 A public sector agency must take reasonable steps to make its TPP privacy policy available —

  1. free of charge; and
  2. in an appropriate form.

Example:

on the agency's website

Note: An example is part of the Act, is not exhaustive and may extend, but does not limit, the meaning of the provision in which it appears (see Legislation Act, s 126 and s 132).

1.6 If a person requests a copy of the TPP privacy policy of a public sector agency in a particular form, the agency must take reasonable steps to give the person a copy in that form.

Note: Person includes a reference to a corporation as well as an individual (see Legislation Act, s 160).

TPP 2 — anonymity and pseudonymity

2.1 Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with a public sector agency in relation to a particular matter.

2.2 TPP 2.1 does not apply if, in relation to the matter —

  1. the public sector agency is required or authorised by or under an Australian law, or a court or tribunal order, to deal with individuals who have identified themselves; or
  2. it is impracticable for the public sector agency to deal with individuals who have not identified themselves or who have used a pseudonym.

Part 1.2 Collection of personal information

TPP 3 — collection of solicited personal information

Personal information other than sensitive information

3.1 A public sector agency must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, 1 or more of the agency's functions or activities.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 3, s 3.2).

Sensitive information

3.3 A public sector agency must not collect sensitive information about an individual unless —

  1. the individual consents to the collection of the information and the information is reasonably necessary for, or directly related to, 1 or more of the agency's functions or activities; or
  2. TPP 3.4 applies in relation to the information.

Note: The equivalent provision in the Commonwealth APPs also applies to certain private sector entities (see Commonwealth APP 3, s 3.3 (a) (ii)).

3.4 This subsection applies in relation to sensitive information about an individual if—

  1. the collection of the information is required or authorised by or under an Australian law or a court or tribunal order; or
  2. a permitted general situation exists in relation to the collection of the information by the public sector agency; or

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 3, s 3.4 (c)).

  1. the public sector agency is an enforcement body and the agency reasonably believes that the collection of the information is reasonably necessary for, or directly related to, 1 or more of the agency's functions or activities.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to—

  • the Commonwealth Immigration Department (see Commonwealth APP 3, s 3.4 (d) (i)); and
  • non-profit organisations (see Commonwealth APP 3, s 3.4 (e)).

Means of collection

3.5 A public sector agency must collect personal information only by lawful and fair means.

3.6 A public sector agency must collect personal information about an individual only from the individual unless —

  1. either —
    1. the individual consents to the collection of the information from someone other than the individual; or
    2. the agency is required or authorised by or under an Australian law, or a court or tribunal order, to collect the information from someone other than the individual; or
  2. it is unreasonable or impracticable to do so.

Note: The equivalent provision in the Commonwealth APPs applies, in part, to certain private sector entities.

Solicited personal information

3.7 TPP 3 applies to the collection of personal information that is solicited by a public sector agency.

TPP 4 — dealing with unsolicited personal information

4.1 If —

  1. a public sector agency receives personal information; and
  2. the agency did not solicit the information;

the agency must, within a reasonable period after receiving the information, decide whether or not the agency could have collected the information under TPP 3 if the agency had solicited the information.

4.2 The public sector agency may use or disclose the personal information for the purposes of making the decision under TPP 4.1.

4.3 If —

  1. the public sector agency decides that the agency could not have collected the personal information; and
  2. the information is not contained in a territory record;

the agency must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.

4.4 If TPP 4.3 does not apply in relation to the personal information, TPPs 5 to 13 apply in relation to the information as if the agency had collected the information under TPP 3.

TPP 5 — notification of the collection of personal information

5.1 At or before the time or, if that is not practicable, as soon as practicable after, a public sector agency collects personal information about an individual, the agency must take reasonable steps —

  1. to notify the individual of the matters mentioned in TPP 5.2 that are reasonable in the circumstances; or
  2. to otherwise ensure that the individual is aware of those matters.

5.2 The matters for TPP 5.1 are as follows:

  1. the identity and contact details of the public sector agency;
  2. if —
    1. the public sector agency collects the personal information from someone other than the individual; or
    2. the individual may not be aware that the public sector agency has collected the personal information;
    the fact that the agency collects, or has collected, the information and the circumstances of that collection;
  3. if the collection of the personal information is required or authorised by or under an Australian law, or a court or tribunal order — the fact that the collection is required or authorised (including the name of the Australian law, or details of the court or tribunal order, that requires or authorises the collection);
  4. the purposes for which the public sector agency collects the personal information;
  5. the main consequences (if any) for the individual if all or some of the personal information is not collected by the public sector agency;
  6. any other public sector agency or entity, or the kinds of any other public sector agencies or entities, to which the public sector agency usually discloses personal information of the kind collected by the agency;
  7. that the TPP privacy policy of the public sector agency contains information about how the individual may access the personal information about the individual that is held by the agency and seek the correction of the information;
  8. that the TPP privacy policy of the public sector agency contains information about how the individual may complain about a breach of the TPPs, or any TPP code that binds the agency, and how the agency will deal with the complaint;
  9. whether the public sector agency is likely to disclose the personal information to overseas recipients;
  10. if the public sector agency is likely to disclose the personal information to overseas recipients — the countries in which the recipients are likely to be located if it is practicable to state those countries in the notification or to otherwise make the individual aware of them.

Part 1.3 Dealing with personal information

TPP 6—use or disclosure of personal information

Use or disclosure

6.1 If a public sector agency holds personal information about an individual that was collected for a particular purpose (the primary purpose), the agency must not use or disclose the information for another purpose (the secondary purpose) unless —

  1. the individual has consented to the use or disclosure of the information; or
  2. TPP 6.2 or TPP 6.3 applies in relation to the use or disclosure of the information.

Note: TPP 8 sets out requirements for the disclosure of personal information to a person who is not in Australia or an external territory.

6.2 This subsection applies in relation to the use or disclosure of personal information about an individual if —

  1. the individual would reasonably expect the public sector agency to use or disclose the information for the secondary purpose and the secondary purpose is —
    1. if the information is sensitive information — directly related to the primary purpose; or
    2. if the information is not sensitive information — related to the primary purpose; or
  2. the use or disclosure of the information is required or authorised by or under an Australian law or a court or tribunal order; or
  3. a permitted general situation exists in relation to the use or disclosure of the information by the public sector agency; or

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 6, s 6.2 (d)).

  1. the public sector agency reasonably believes that the use or disclosure of the information is reasonably necessary for 1 or more enforcement-related activities conducted by, or on behalf of, an enforcement body.

6.3 This subsection applies in relation to the disclosure of personal information about an individual by a public sector agency if —

  1. the agency is not an enforcement body; and
  2. the information is biometric information or biometric templates; and
  3. the recipient of the information is an enforcement body; and
  4. the disclosure is conducted in accordance with the guidelines made by the information privacy commissioner for this subsection.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 6, s 6.4).

Written note of use or disclosure

6.5 If a public sector agency uses or discloses personal information in accordance with TPP 6.2 (e), the agency must make a written note of the use or disclosure.

Related bodies corporate

6.6 If —

  1. a public sector agency is a corporation; and
  2. the agency collects personal information from a related body corporate;

this TPP applies as if the agency's primary purpose for the collection of the information were the primary purpose for which the related body corporate collected the information.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 6, s 6.7).

7 Direct marketing

Note 1: The Commonwealth Act includes a privacy principle prohibiting direct marketing by certain private sector entities (see Commonwealth APP 7).

Note 2: However, Commonwealth APP 7 applies to an act or practice of a public sector agency if the agency engages in commercial activities (see s 23).

TPP 8 — cross-border disclosure of personal information

8.1 Before a public sector agency discloses personal information about an individual to a person (an overseas recipient)—

  1. who is not in Australia or an external territory; and
  2. who is not the agency or the individual;

the agency must take reasonable steps to ensure that the overseas recipient does not breach the TPPs (other than TPP 1) in relation to the information.

Note: In certain circumstances, an act done, or a practice engaged in, by an overseas recipient is taken, under s 22, to have been done, or engaged in, by the public sector agency and to be a breach of the TPPs.

8.2 TPP 8.1 does not apply to the disclosure of personal information about an individual by a public sector agency to the overseas recipient if—

  1. the agency reasonably believes that—
    1. the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the TPPs protect the information; and
    2. there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
  2. both of the following apply:
    1. the agency expressly informs the individual that if the individual consents to the disclosure of the information, TPP 8.1 will not apply to the disclosure;
    2. after being informed, the individual consents to the disclosure; or
  3. the disclosure of the information is required or authorised by or under an Australian law, or a court or tribunal order; or
  4. a permitted general situation (other than the situation mentioned in section 19 (1) (d) or (e)) exists in relation to the disclosure of the information by the agency; or
  5. the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia or the Territory is a party; or
  6. both of the following apply:
    1. the agency reasonably believes that the disclosure of the information is reasonably necessary for 1 or more enforcement-related activities conducted by, or on behalf of, an enforcement body;
    2. the recipient is a body that exercises functions that are similar to those exercised by an enforcement body.

9 Adoption, use or disclosure of government-related identifiers

Note 1: The Commonwealth Act includes a privacy principle regulating the adoption, use or disclosure of government-related identifiers by certain private sector entities (see Commonwealth APP 9).

Note 2: However, Commonwealth APP 9 applies to an act or practice of a public sector agency if the agency engages in commercial activities (see s 23).

Part 1.4 Integrity of personal information

TPP 10 — quality of personal information

10.1 A public sector agency must take reasonable steps to ensure that the personal information that the agency collects is accurate, up-to-date and complete.

10.2 A public sector agency must take reasonable steps to ensure that the personal information that the agency uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.

TPP 11 — security of personal information

11.1 If a public sector agency holds personal information, the agency must take reasonable steps to protect the information —

  1. from misuse, interference or loss; and
  2. from unauthorised access, modification or disclosure.

11.2 If —

  1. a public sector agency holds personal information about an individual; and
  2. the agency no longer needs the information for a purpose for which the information may be used or disclosed by the agency under the TPPs; and
  3. the information is not contained in a territory record; and
  4. the agency is not required by or under an Australian law, or a court or tribunal order, to retain the information; the agency must take reasonable steps to destroy the information or to ensure that the information is de-identified.

Part 1.5 Access to, and correction of, personal information

TPP 12 — access to personal information

Access

12.1 If a public sector agency holds personal information about an individual, the agency must, on request by the individual, give the individual access to the information.

Exception to access — agency

12.2 If the public sector agency is required or authorised to refuse to give the individual access to the personal information by or under —

  1. the Freedom of Information Act 1989; or
  2. another law in force in the ACT that provides for access by people to documents;

then, despite TPP 12.1, the agency is not required to give access to the extent that the agency is required or authorised to refuse to give access.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 12, s 12.3).

Dealing with requests for access

12.4 The public sector agency must —

  1. respond to the request for access to the personal information within 30 days after the day the request is made; and
  2. give access to the information in the way requested by the individual, if it is reasonable and practicable to do so.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 12, s 12.4 (a) (ii)).

Other means of access

12.5 If the public sector agency refuses —

  1. to give access to the personal information because of TPP 12.2; or
  2. to give access in the way requested by the individual;

the agency must take reasonable steps to give access in a way that meets the needs of the agency and the individual.

12.6 Without limiting TPP 12.5, access may be given through the use of a mutually agreed intermediary.

Access charges

12.7 The public sector agency must not charge the individual for the making of the request or for giving access to the personal information.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 12, s 12.8).

Refusal to give access

12.9 If the public sector agency refuses to give access to the personal information because of TPP 12.2, or to give access in the way requested by the individual, the agency must give the individual a written notice that sets out —

  1. the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
  2. the mechanisms available to complain about the refusal; and
  3. any other matter prescribed by regulation.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 12, s 12.10).

TPP 13 — correction of personal information

Correction

13.1 If —

  1. a public sector agency holds personal information about an individual; and
  2. either —
    1. the agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; or
    2. the individual requests the agency to correct the information;

the agency must take reasonable steps to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.

Notification of correction to third parties

13.2 If —

  1. the public sector agency corrects personal information about an individual that the agency previously disclosed to another public sector agency; and
  2. the individual requests the agency to notify the other public sector agency of the correction; the agency must take reasonable steps to give the notification unless it is impracticable or unlawful to do so.

Refusal to correct information

13.3 If the public sector agency refuses to correct the personal information as requested by the individual, the agency must give the individual a written notice that sets out —

  1. the reasons for the refusal except to the extent that it would be unreasonable to do so; and
  2. the mechanisms available to complain about the refusal; and
  3. any other matter prescribed by regulation.

Request to associate a statement

13.4 If —

  1. the public sector agency refuses to correct the personal information as requested by the individual; and
  2. the individual requests the agency to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading;

the agency must take reasonable steps to associate the statement in a way that will make the statement apparent to users of the information.

Dealing with requests

13.5 If a request is made under TPP 13.1 or TPP 13.4, the public sector agency —

  1. must respond to the request within 30 days after the day the request is made; and
  2. must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information.

Note: The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 13, s 13.5 (a) (ii)).

Footnote

[1] These phrases can be found in both APPs and TPPs 5.1, 10.1, 10.2, 12.5, 13.1, 13.2.