Managing other people’s personal information

The Personal Information Protection Act 2004 (the Act) gives people the right to complain to the Ombudsman about an alleged breach of a personal information principle (PIPP) by a personal information custodian.

Personal information custodians include Tasmanian public authorities like state government departments, local councils, statutory bodies, the University of Tasmania, Tasmania Police, state owned companies and, in some circumstances, organisations providing services for the State.

What is personal information?

Personal information means any information or opinion in any recorded format about an individual whose identity is apparent or is reasonably ascertainable from the information or opinion and who is alive or has not been dead for more than 25 years.

Examples of personal information include a person’s name, gender, date of birth, address, financial details, marital status, education and employment history.

Some personal information is classified as ‘sensitive information’.  This is information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record and health information.

Generally, an agency needs to obtain consent from a person to collect sensitive information.

Personal information custodians must generally comply with the PIPPs.

Ten Personal Information Protection Principles

Complaints can only be made about an alleged breach of one or more of the ten Personal Information Principles in the Act.

Managing personal information

Personal information custodians should:

  • Have a publicly available policy that tells people how it will handle personal information.
  • Take reasonable steps to notify people of the organisation’s contact details, their rights of access and the main consequences if the personal information is not provided.
  • Generally not use personal information for a secondary purpose unrelated to the main purpose for which it was collected.
  • Think before disclosing personal information and get consent from the individual if there is a reason for disclosing personal information that is different from the reason for which it was collected.
  • If people ask, give them access to the personal information held about them.
  • Keep personal information secure and safe from unauthorised access, misuse or disclosure.
  • Not keep information that is no longer needed or that is no longer required to be retained.
  • Take reasonable steps to keep personal information accurate and up to date.
  • Consider making someone in the organisation responsible for its responsibilities under the Act and promoting compliance.

Complaint process

What happens when the Ombudsman receives a complaint?

The Ombudsman will conduct a preliminary assessment of the complaint to decide whether to ‘deal with it’.  This generally involves considering if the Ombudsman has jurisdiction and seeking further information from the complainant or the custodian.

The Ombudsman may decide not to deal with a complaint if it is frivolous, vexatious, lacking in substance, trivial or if the alleged breach is permitted under law.

What happens when the Ombudsman decides to investigate a complaint?

An Ombudsman Tasmania investigation officer will be assigned to handle the complaint.

As the first step in the process, the complaint will be outlined to the custodian and a response will be sought.

If the matter proceeds to an investigation, it is conducted in accordance with Division 3 of the Ombudsman Act 1978.   The investigation will generally be ‘on the papers’ but interviews or inspection of premises may be required.

What can be done to resolve a complaint?

If the Ombudsman is of the opinion that a personal information custodian has contravened a PIPP, the Ombudsman is to advise the complainant and the agency involved and may make any recommendations considered appropriate.  The Ombudsman is to provide a copy of the advice and any recommendation to the relevant Minister for tabling in Parliament.

For further information please telephone 1800 001 170 to speak to an officer about your enquiry.


Ten Personal Information Protection Principles

Download the Fact Sheet (PDF, 73.5 KB)