SCHEDULE 1 - Personal Information Protection Principles

Sections 6 , 9 , 10 , 11 and 16

1.    Collection

(1) A personal information custodian must not collect personal information unless the information is necessary for one or more of its functions or activities.

(2) A personal information custodian must collect personal information only by lawful means.

(3) Before collection, during collection or as soon as practicable after collection of personal information about an individual from the individual, the personal information custodian must take any reasonable steps necessary to ensure that the individual is aware of the following:

(a) its identity and how to contact it;

(b) the individual's right of access to the information;

(c) the purposes for which the information is collected;

(d) the intended recipients or class of recipients of the information;

(e) any law that requires the information to be collected;

(f) the main consequences for the individual if all or part of the information is not provided.

(4) If it is reasonable and practicable to do so, a personal information custodian must collect personal information about an individual only from that individual.

(5) If a personal information custodian collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is made aware of the matters referred to in subclause (3) unless doing so would pose a serious threat to the life, safety, health or welfare of any individual.

2.    Use and disclosure

(1) A personal information custodian must not use or disclose personal information about an individual for a purpose other than the purpose for which it was collected unless –

(a) both of the following apply:

(i) that purpose is related to the primary purpose and, if the personal information is sensitive information, that information is directly related to the primary purpose;

(ii) the individual would reasonably expect the personal information custodian to use or disclose the information for that purpose; or

(b) the individual has consented to the use or disclosure; or

(c) if the use or disclosure is necessary for research or the compilation or analysis of statistics in the public interest, other than for publication in a form that identifies any particular individual –

(i) it is impracticable for the personal information custodian to seek the individual's consent before the use or disclosure; or

(ii) the personal information custodian reasonably believes that the recipient of the information is not likely to disclose the information; or

(d) the personal information custodian reasonably believes that the use or disclosure is necessary to lessen or prevent –

(i) a serious threat to an individual's life, health, safety or welfare; or

(ii) a serious threat to public health or public safety; or

(e) the personal information custodian has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(f) the use or disclosure is required or authorised by or under law; or

(g) the personal information custodian reasonably believes that the use or disclosure is reasonably necessary for any of the following purposes by or on behalf of a law enforcement agency:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of conduct that is in the opinion of the personal information custodian seriously improper conduct;

(v) the preparation for, or conduct of, proceedings before any court or tribunal or implementation of any order of a court or tribunal;

(vi) the investigation of missing persons;

(vii) the investigation of a matter under the Coroners Act 1995 ; or

(h) the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its functions, has requested the personal information custodian to disclose the personal information and –

(i) the disclosure is made to an officer or employee of ASIO or ASIS appropriately authorised in writing to receive the disclosure; and

(ii) an officer or employee of ASIO or ASIS so authorised certifies that the disclosure is connected with the performance by ASIO or ASIS of its functions; or

(i) the personal information is to be used as employee information in relation to –

(i) the suitability of the individual for appointment; or

(ii) the suitability of the individual for employment held by the individual; or

(j) the personal information is employee information which is being transferred from one personal information custodian to another personal information custodian for use as employee information relating to the individual; or

(k) subclause (4) or section 12 applies.

(2) If a personal information custodian uses or discloses personal information under subclause (1)(g) , it must make a written note of the use or disclosure.

(3) Subclause (1) applies to personal information collected by a personal information custodian that is a body corporate from a related body corporate as if the primary purpose of that collection were the primary purpose for which the related body corporate collected the information.

(4) A personal information custodian that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if –

(a) the individual is –

(i) physically or legally incapable of giving consent to the disclosure; or

(ii) physically unable to communicate consent to the disclosure; and

(b) the natural person providing the health service for the personal information custodian is satisfied that the disclosure –

(i) is necessary to provide appropriate care or treatment of the individual; or

(ii) is made for compassionate reasons; and

(c) the disclosure is not contrary to any wish –

(i) expressed by the individual before the individual became unable to give or communicate consent; and

(ii) of which the natural person is aware, or of which he or she could reasonably be expected to be aware; and

(d) the disclosure is limited to the extent reasonable and necessary for the purpose mentioned in paragraph (b) .

(5) A person is responsible for an individual if the person –

(a) is a parent of the individual; or

(b) is a child or sibling of the individual and at least 18 years of age; or

(c) is a spouse of the individual; or

(d) is in a personal relationship, within the meaning of the Relationships Act 2003 , with the individual; or

(e) is a relative of the individual, at least 18 years of age and a member of the individual's household; or

(f) is a guardian of the individual; or

(g) is exercising enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or

(h) is nominated by the individual to be contacted in case of emergency.

3.    Data quality

A personal information custodian must take reasonable steps to ensure that, having regard to the purpose for which the personal information is to be used, the personal information it collects, uses, holds or discloses is accurate, complete, up-to-date and relevant to its functions or activities.

4.    Data security

(1) A personal information custodian must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure.

(2) A personal information custodian must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.

(3) A personal information custodian, the records of which are subject to the Archives Act 1983 , must take the reasonable steps referred to in subclause (2) only with the approval of the State Archivist.

5.    Openness

(1) A personal information custodian must clearly set out in a document its policies on its management of personal information.

(2) A personal information custodian must make the document available to anyone who asks for it.

(3) On request by a person, a personal information custodian must take reasonable steps to advise the person, in general terms, of –

(a) the sort of personal information it holds; and

(b) the purposes for which it holds the information; and

(c) how it collects, holds, uses and discloses that information.

6.    Access and correction

(1) If a personal information custodian holds personal information about an individual, the personal information custodian –

(a) may provide that individual with access to his or her personal information on receipt of a written request from the individual for access to his or her personal information; or

(b) if the personal information custodian –

(i) notifies the individual of a decision to refuse a request under paragraph (a) ; or

(ii)  does not respond to a request under paragraph (a) within 20 working days –

the personal information custodian, on receipt of a further written request from the individual for access to his or her personal information, must provide the individual with access to his or her personal information as if –

(iii) the written request were an application for assessed disclosure of information under section 13 of the Right to Information Act 2009 ; and

(iv) the personal information custodian were subject to that Act; and

(v) a reference in that Act to a public authority or a Minister were a reference to a personal information custodian.

(2) An individual may request amendment of his or her personal information in accordance with Part 3A if that information is incorrect, incomplete, out of date or misleading.

7.    Unique identifiers

(1) A personal information custodian must not assign a unique identifier to an individual unless it is necessary for it to carry out any of its functions efficiently.

(2) A personal information custodian must not adopt as its own unique identifier of an individual a unique identifier that has been assigned to the individual by another personal information custodian unless –

(a) that adoption is necessary for it to carry out any of its functions efficiently; or

(b) it has obtained the consent of the individual to the use of the unique identifier; or

(c) it is a body, an organisation or an individual adopting the unique identifier created by a personal information custodian in the performance of its obligations to the personal information custodian under a personal information contract.

(3) A personal information custodian must not use or disclose a unique identifier assigned to an individual by another personal information custodian unless –

(a) the use or disclosure is necessary for it to fulfil its obligations to the other personal information custodian; or

(b) clause 2(1) applies.

(4) A personal information custodian must not require an individual to provide a unique identifier in order to obtain a service unless the provision –

(a) is required or authorised by law; or

(b) is in connection with the purpose, or a directly related purpose, for which the unique identifier was assigned.

8.    Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with a personal information custodian.

9.    Disclosure of information outside Tasmania

A personal information custodian may disclose personal information about an individual to another person or other body who is outside Tasmania only if –

(a) the personal information custodian reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that has principles for fair handling of the information that are substantially similar to the personal information protection principles; or

(b) the individual consents to the disclosure; or

(c) the disclosure is necessary for –

(i) the performance of a contract between the individual and the personal information custodian; or

(ii) the conclusion or performance of a contract concluded in the interest of the individual between the personal information custodian and a third party; or

(d) the personal information custodian has taken reasonable steps to ensure that the information which it has disclosed is not to be held, used or disclosed by the recipient of the information inconsistently with the personal information protection principles; or

(e) the disclosure is authorised or required by any other law.

10.    Sensitive information

(1) A personal information custodian must not collect sensitive information about an individual unless –

(a) the individual has consented; or

(b) the collection is required or permitted by law; or

(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual and the individual to whom the information relates –

(i) is physically or legally incapable of giving consent to the collection; or

(ii) physically cannot communicate consent to the collection; or

(iii) is subject to a guardianship order under the Guardianship and Administration Act 1995 or an assessment order or treatment order under the Mental Health Act 2013 ; or

(d) the information is collected in the course of the activities of a non-profit personal information custodian that has only racial, ethnic, political, religious, philosophical, professional, trade or trade union aims and –

(i) the information relates solely to the members of that personal information custodian or to individuals who have regular contact with it in connection with its activities; and

(ii) at or before the time of collection, the personal information custodian undertakes to the individual to whom the information relates that it will not disclose the information without the individual's consent; or

(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim; or

(f) subclause (2) , (3) , (4) or (6) applies.

(2) A personal information custodian may collect sensitive information about an individual if –

(a) either of the following applies:

(i) the collection is necessary for research or the compilation or analysis of statistics in the public interest and any resulting publication does not identify the individual;

(ii) the information relates to an individual's racial or ethnic origin and is collected for the purpose of welfare or educational services funded by government; and

(b) there is no reasonably practicable alternative to collecting the information for a purpose referred to in paragraph (a) ; and

(c) it is impracticable for the personal information custodian to seek the individual's consent to the collection.

(3) A personal information custodian may collect sensitive information that is health information about an individual if –

(a) the information is necessary to provide a health service to the individual; and

(b) the information is collected –

(i) as required by law, other than this Act; or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the personal information custodian.

(4) A personal information custodian may collect sensitive information that is health information about an individual if –

(a) the collection is necessary for any of the following purposes:

(i) research relevant to public health or public safety;

(ii) the compilation or analysis of statistics relevant to public health or public safety;

(iii) the management, funding or monitoring of a health service; and

(b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and

(c) it is impracticable for the personal information custodian to seek the individual's consent to the collection; and

(d) the information is collected –

(i) as required by law, other than this Act; or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the personal information custodian.

(5) If a personal information custodian collects sensitive information that is health information about an individual in accordance with subclause (4) , it must take reasonable steps to permanently de-identify the information before disclosing it.

(6) A personal information custodian may collect sensitive information that is health information from an individual about another person without the consent of that other person, or without complying with clause 1(5) , if both the following apply:

(a) the collection is necessary for the provision of any health service provided to the individual;

(b) the information is relevant to the social or family history of the individual.