Privacy and personal information

Action points

  • Know the 12 Privacy Principles.
  • If in doubt, check with your Privacy Officer.
  • Advise users how you will protect, use and provide access to their personal information and seek their agreement.

Website business owners, managers and administrators need to be aware of their responsibility not to disclose an individual’s personal information. They also need to be aware of the Information Privacy Principles of the Privacy Act 1993.

What is personal information?

The Privacy Commission's website defines personal information as: “Information about a living human being. The information needs to identify that person, or be capable of identifying that person.” This is also known as Personally Identifying Information or PII.

At times we collect basic personal information from users over the web. People may share their email addresses for receiving updates, or publicly available information such as postal addresses and/or phone numbers for follow-up contact.

Sometimes we also collect more sensitive information related to an individual’s personal circumstances. Systems dealing with such information require higher levels of protection and assurance, and you should seek further advice. You may decide that based on the context in which personal information is supplied that seemingly low sensitivity information needs higher levels of protection.

When in doubt, check with your agency’s Privacy Officer and check out this discussion on Privacy Impact Assessments.

Regardless, individuals are the owners of their personal information. When it is disclosed over the web it is only provided to government for a specific business purpose. It should not be disclosed to others without the explicit consent of the individual. It should be treated, at the least, as ‘In Confidence’.

Your obligations

You have an obligation to make individuals aware of what information is being collected, why it is being collected, how it will be used, how it will be kept secure, and their right to review and correct it. The individual’s authorisation is needed for any other use or disclosure of the information. This applies even for information that most people are willing to share with others, such as their contact details.

You may wish to seek users’ acknowledgement of those terms by asking them to give their consent via a check-box on any online forms used for entering personal information.

What are the Privacy Principles?

The Privacy Act 1993, by which we are legally bound, is founded on 12 Privacy Principles. The Office of the Privacy Commissioner publishes a summary wallchart (PDF 499KB) as a quick-reference reminder of these principles.

If your agency collects personal information of any kind – even information that is usually of low sensitivity – then you should be aware of these Privacy Principles.

There are circumstances where each of these principles may not apply; consult the Privacy Commissioner’s web site for guidance on the Privacy Principles. Agency staff with any queries in this area should consult their Privacy Officer.