Ten Personal Information Protection Principles (PIPP)

Complaints can only be made about an alleged breach of one or more of the 10 Personal Information Protection Principles (PIPP) in the Personal Information Protection Act 2004 (the Act).

You can find the PIPP in Schedule 1 of the Act. This page is a summary of the PIPP, and can be downloaded and printed.

1. Collection

An organisation can only collect your personal information if it is necessary to fulfil one or more of its functions or activities. It must take reasonable steps to notify you of its contact details, your rights of access and the main consequences if you do not provide the information.

2. Use and Disclosure

Generally your personal information can only be used and disclosed for the purpose for which it was collected, for a secondary purpose that you would reasonably expect or if you have consented to the use or disclosure. The law allows some uses without consent, such as to protect public health or law enforcement purposes.

3. Data Quality

Organisations must take reasonable steps to ensure your personal information is accurate, complete, up to date and relevant to its functions.

4. Data Security

Organisations must take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.  An organisation must take reasonable steps to destroy or permanently de-identify your personal information when it is no longer needed.

5. Openness

Organisations must have clear policies on the way they manage personal information. You may ask a personal information custodian, in general terms, what information it holds, how it collects it and for what purpose is the information used.

6. Access and correction

You have a right to access your personal information and seek corrections if the information is incorrect, incomplete, out of date or misleading.

7. Unique identifiers

A personal information custodian must not assign a unique identifier to an individual unless it is necessary to carry out its functions efficiently.

8. Anonymity

Where it is lawful and practicable you should have the option of not identifying yourself when transacting with a personal information custodian.

9. Disclosure of information outside Tasmania

A custodian may disclose personal information about an individual to a body outside of Tasmania if the disclosure is required by law or is necessary for the performance of a legal contract.

10. Sensitive information

This includes your racial or ethnic origin, political opinions and membership of political associations, religious or philosophical beliefs, membership of professional or trade associations or trade unions, sexual preferences, health information and criminal record. The Act puts special restrictions on the collection of sensitive information.