Reading through the details published by the OAIC and related government pages leads to the conclusion that…
The Office of the Australian Information Commissioner (the OAIC) regulates the Privacy Act 1988 (Cth) (the Act) which sets out the manner in which Australian, ACT and Norfolk Island government agencies, and many private sector organisations, are to handle personal information.
The 10 National Privacy Principles (NPPs) in the Act regulate the collection, security, use and disclosure of personal information handled by many private sector organisations.
The NPPs apply to all private sector organisations in Australia with an annual turnover of more than $3 million, and to all private health service providers irrespective of turnover. Further information on the coverage of, and exemptions from, the NPPs is available in our published Information Sheet 12.
If the organisation is covered by the Act, then it will need to comply with the NPPs in its handling of personal information.
Under NPP 5.1, an organisation covered by the Act must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it. This document could be in the form of making available a privacy statement or policy which may be published on the company’s website.
The NPPs are not prescriptive. This means that while they state general rules to which organisations need to adhere, they do not specify the practical steps an organisation must take to meet its obligations.
Further information, including tips for compliance, is available in our published Guidelines to the NPPs on our website.