National Privacy Principle 5 (NPP 5) requires organisations to be open about their handling of personal information in two ways. This information sheet expands on the Privacy Commissioner's Guidelines to the National Privacy Principles.

Ways an organisation could give NPP 5.1 information

There are a number of ways an organisation could set out its personal information management policies in a clearly expressed document. For example:

• a retailer might decide that the simplest way would be to display the organisation's privacy policy on a sign in the store;
• the information could be provided in a printout or a pamphlet that is handed out on request; or
• a privacy policy could be put on a web site, either on a home page or on a prominent and accessible link from the home page.

Tips for compliance It is often the case that the more open an organisation is about its information handling practices the fewer complaints it is likely to receive and the fewer the requests from individuals for access to information. Additional information that an organisation could have in the document include: the kinds of personal information the organisation holds; the main purposes for which the organisation holds the information; whether it contracts out services that involve disclosing personal information; how an individual can complain about a breach of privacy including a contact number in the organisation; the organisation's contact details; and how the organisation handles requests for access to personal information.

When an organisation is aware of any particular requirements affecting an individual requesting information about its privacy policy, it could consider presenting the information in a way that takes into account those requirements. Some factors that may affect the way an organisation presents information could include any disability the individual may have, the individual's level of understanding, or the individual's language or literacy skills.

Providing information under NPP 5.2

NPP 5.2 requires an organisation, when requested, to take reasonable steps to let an individual know, generally, what sort of personal information it holds, for what purposes and how it collects, holds, uses and discloses that information. NPP 5.2 does not limit the type or detail of information that an organisation can provide. It may tailor the information according to what the individual wants to know. The type of information that an individual may ask for could include:

• the kind of personal information the organisation collects;
• what, if any, of that information is sensitive information under the Privacy Act 1988 (Cth) (the Privacy Act);
• how the organisation generally collects personal information;
• the purposes for which the organisation collects or holds personal information;
• more details about the way the organisation uses personal information;
• the kinds of personal information the organisation shares with related corporations;
• more information about who the organisation discloses personal information to and the reasons for doing so;
• more details on the organisation's functions or activities that involve personal information and are contracted out;
• who the person can contact in the organisation if they have a privacy concern;
• the organisation's contact details, for example, the name, street and postal addresses, the main telephone and fax numbers and appropriate e-mail addresses;
• how the organisation stores or secures information (an organisation is not required to give specific details of security measures that would jeopardise the security of the personal information an organisation holds);
• how individuals are able to get access to information the organisation holds about them;
• the kinds of personal information the organisation may transfer overseas; and
• how an individual can make a complaint to the organisation about a possible breach of privacy, including, where appropriate, a contact number for the organisation's complaints or privacy section.

Reasonable steps when providing the information required under NPP 5.2

Organisations could consider a number of matters when deciding what are reasonable steps under NPP 5.2, including:

• any particular requirements the individual making the request has, that the organization is aware of, which may affect the way an organisation considers presenting the information, such as disability, level of understanding, language or literacy skills;
• the size of the organisation and the variety and complexity of the information it holds. For example, in a small local organisation it may be appropriate for the person to be given the information verbally. In a large organisation written material may be a better option;
• how much information the individual wants. For example, the request may only be about the type of personal information an organisation holds;
• providing information, whether simple or complex, in a user-friendly, accessible way and avoiding jargon or in-house terms.

About Information Sheets Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.) Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner ISBN 1 - 877079 - 25 - 1 Privacy Hotline 1300 363 992 (local call charge)

Differences between NPPs 5.1, 5.2 and 1.3

QUESTION When does an organisation have to provide the information?	NPP 5.1 When an individual asks for it.	NPP 5.2 When an individual asks for it.	NPP 1.3 Whether the person asks or not an organisation must take reasonable steps to make the person aware at the time of collection or as soon as practicable after the collection.
How should the information be given? What information must be given?	Set out in a document: - whether the organisation is bound by the NPPs or a privacy code approved by the Commissioner and if this is the case a reference to the privacy code; - any exemptions under the Privacy Act that apply to the personal information the organisation holds or to any of its acts or practices; - that an individual can get general information handling more information on request practices about the way the organisation manages the personal information it holds.	Details can be provided verbally or in writing. Some of the information may be similar to that required under 5.1. However, more general information about the organisation's information handling practices should be provided so that the person has a fuller understanding. The information provided may depend on what the individual wants to know. The information can relate to the organisation's	Details can be provided either verbally or in writing. Organisations must take reasonable steps to include the minimum information specified in NPP 1.3: o organisation identity and contact details o access awareness o the purpose/s o disclosure information about this collection o laws relating to this collection o consequences of not providing the information