Information Sheet 10-2001 Application to the Privacy Act to Information Already Held

	Publications
		Archives
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

Information Sheet 10-2001 Application to the Privacy Act to Information Already Held

View printable version of this page

PDF, Word

When the new private sector amendments to the Privacy Act 1988 (Cth) (the Privacy Act) come into force on 21 December 2001, not all the National Privacy Principles (NPPs) will apply to information that private sector organisations have already collected. Section 16C of the Privacy Act sets out which NPPs will apply regardless of when the information was collected, and which NPPs will only apply to information collected after the private sector amendments commence.

Starting date of private sector provisions

The private sector provisions will take effect for different organisations at different times. This table explains when the provisions are due to take effect.

Type of organisation	Start date
Organisations with an annual turnover of more than $3 million. Health service providers regardless of turnover. Organisations with an annual turnover of $3 million or less that opt in to coverage.	21 December 2001
Organisations with a turnover of $3 million or less that trade in personal information are Commonwealth government contractors. (See Information Sheet 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions for more detail.)	21 December 2002
Other small businesses with a turnover of $3 million or less.	The Privacy Act does not apply.

When each NPP applies

Only some of the NPPs apply to personal information that an organisation has already collected at the time the private sector provisions come into effect. The table below sets out, for those organisations covered by the Privacy Act, whether the NPP applies to information already collected and when each NPP will apply.

NPP	Topic	What information the NPP applies to
NPP 1	Collection	Only applies to information collected after 21 December 2001 (or for small businesses (not health services) applies to information collected after 21 December 2002).
NPP 2	Use and disclosure	Only applies to information collected after 21 December 2001 (or for small businesses (not health services) applies to information collected after 21 December 2002).
NPP 3	Data quality and collection	As it applies to collection it only applies to information collected after 21 December 2001 (or for small businesses (not health services) applies to information collected after 21 December 2002).
NPP 3	Data quality on use and disclosure	As it applies to use and disclosure it applies regardless of when it was collected (for small business (not health services), delay in application until 21 December 2002, then applies regardless of when collected).
NPP 4	Data security	Applies regardless of when information was collected (for small business (not health services), delay in application until 21 December 2002, then applies regardless of when collected).
NPP 5	Privacy policies and openness	Applies regardless of when information was collected (for small business (not health services), delay in application until 21 December 2002, then applies regardless of when collected).
NPP 6	Access and correction	If information already held is not used or disclosed it only applies to information collected after 21 December 2001. But if information already held is used or disclosed after commencement then rights of access and correction apply unless: there is an unreasonable administrative burden; or it will cause the organisation unreasonable expense (or for small businesses (not health services), applies to information collected after 21 December 2002, with no exception).
NPP 7	Commonwealth Government identifiers	Applies regardless of when information collected (for small business (not health services), delay in application until 21 December 2002, then applies regardless of when collected).
NPP 8	Anonymity	Only applies to information collected after 21 December 2001 (for small businesses, only applies to transactions entered into with an organisation after 21 December 2002).
NPP 9	Transborder data flow	Applies regardless of when information collected(for small business, delay in application until 21 December 2002, then applies regardless of when collected).
NPP 10	Collection of sensitive information	Only applies to information collected after 21 December 2001 (or for small businesses (not health services), applies to information collected after 21 December 2002).

About Information Sheets

Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)

Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.

Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.

Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner
ISBN 1-877079-31-6

Privacy Hotline 1300 363 992 (local call charge)