The Privacy Principles make it clear that organisations must be open with people about the personal information they collect and handle. This can be seen in four requirements of the Privacy Principles:
Organisations must make available to the public a document in which they clearly express their policies for the management of personal information they hold (IPP 5.1).
On request, an organisation must also take reasonable steps to inform a person about:
The potentially onerous requirements of IPP 5 mean that it will usually be in the interests of organisations to develop detailed written policies about management of personal information that address, among other things, the specific requirements of IPP 5.2.
Every time personal information about an individual is collected, the organisation collecting the information must take reasonable steps to ensure that the individual is aware of:
Important points to note:
Privacy Principle 6 sets out an alternative access scheme to Freedom of Information access. However, the Privacy access scheme is limited to the personal information of the individual concerned.
Like the FOI access scheme exemptions, there are a series of reasons why an organisation can refuse access to information (IPPs 6.1 and 6.2). Many of the exceptions are similar to FOI exemptions but there are some differences. One of the exceptions arises if 'denying access is required or authorised by law'. This would appear to allow refusal based on any of the FOI access exemptions.
In general terms, the requirements for, and procedures involved in, the FOI access scheme are more concrete, and spelled out in more detail, than the Privacy access scheme. In most cases, it will probably be preferable for individuals seeking access to use the FOI access scheme.
Privacy Principle 6 sets out an alternative correction scheme to Freedom of Information correction.
Like the FOI access scheme, the Privacy correction scheme refers to information that is not accurate, complete or up to date. If the person establishes this, the organisation must take reasonable steps to correct it.
In general terms, the requirements for, and procedures involved in, the FOI correction scheme are more concrete, and spelled out in more detail, than the Privacy correction scheme. In most cases, it will probably be preferable for individuals seeking correction to utilise the FOI correction scheme.