58Regulation-making power

58 Regulation-making power The Executive may make regulations for this Act. Schedule 1 Territory privacy principles page 44 Information Privacy Act 2014 Effective: 16/12/25 R13 16/12/25 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au Schedule 1 Territory privacy principles (see s 13) Note 1 This schedule sets out the TPPs. • Pt 1.1 sets out principles that require public sector agencies to consider the privacy of personal information, including ensuring that public sector agencies manage personal information in an open and transparent way. • Pt 1.2 sets out principles that deal with the collection of personal information, including unsolicited personal information. • Pt 1.3 sets out principles about how public sector agencies deal with personal information. The part includes principles about the use and disclosure of personal information. • Pt 1.4 sets out principles about the integrity of personal information. The part includes principles about the quality and security of personal information. • Pt 1.5 sets out principles that deal with requests for access to, and the correction of, personal information. Note 2 The TPPs are: • TPP 1—open and transparent management of personal information • TPP 2—anonymity and pseudonymity • TPP 3—collection of solicited personal information • TPP 4—dealing with unsolicited personal information • TPP 5—notification of the collection of personal information • TPP 6—use or disclosure of personal information • TPP 8—cross-border disclosure of personal information • TPP 10—quality of personal information • TPP 11—security of personal information • TPP 12—access to personal information • TPP 13—correction of personal information. Territory privacy principles Schedule 1 Consideration of personal information privacy Part 1.1 Section 1 R13 16/12/25 Information Privacy Act 2014 Effective: 16/12/25 page 45 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au Note 3 The TPPs do not include provisions equivalent to the Commonwealth APPs relating to certain private sector and other entities. To maintain consistent numbering between the TPPs and the Commonwealth APPs— • if the Commonwealth APPs contain a provision that is not included in this Act—the relevant TPP in this schedule is numbered to maintain consistency in numbering between provisions common to both Acts; and • a note appears under the relevant TPP in this schedule describing the omitted provision of the Commonwealth APPs. The TPPs also contain minor textual and formatting differences to the Commonwealth APPs. Part 1.1 Consideration of personal information privacy 1 TPP 1—open and transparent management of personal information 1.1 The object of this TPP is to ensure that public sector agencies manage personal information in an open and transparent way. Compliance with the TPPs etc 1.2 A public sector agency must take reasonable steps to implement practices, procedures and systems relating to the agency’s functions or activities that— (a) will ensure that the agency complies with the TPPs and any TPP code that binds the agency; and (b) will enable the agency to deal with inquiries or complaints from individuals about the agency’s compliance with the TPPs or a code. Schedule 1 Territory privacy principles Part 1.1 Consideration of personal information privacy Section 1 page 46 Information Privacy Act 2014 Effective: 16/12/25 R13 16/12/25 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au TPP privacy policy 1.3 A public sector agency must have a clearly expressed and up-to-date policy (the TPP privacy policy) about the management of personal information by the agency. 1.4 Without limiting TPP 1.3, the TPP privacy policy of the public sector agency must contain the following information: (a) the kinds of personal information that the agency collects and holds; (b) how the agency collects and holds personal information; (c) the purposes for which the agency collects, holds, uses and discloses personal information; (d) how an individual may access personal information about the individual that is held by the agency and seek the correction of the information; (e) how an individual may complain about a breach of the TPPs, or any TPP code that binds the agency, and how the agency will deal with the complaint; (f) whether the agency is likely to disclose personal information to overseas recipients; (g) if the agency is likely to disclose personal information to overseas recipients—the countries in which the recipients are likely to be located if it is practicable to state those countries in the policy. Territory privacy principles Schedule 1 Consideration of personal information privacy Part 1.1 Section 2 R13 16/12/25 Information Privacy Act 2014 Effective: 16/12/25 page 47 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au Availability of TPP privacy policy etc 1.5 A public sector agency must take reasonable steps to make its TPP privacy policy available— (a) free of charge; and (b) in an appropriate form. Example on the agency’s website 1.6 If a person requests a copy of the TPP privacy policy of a public sector agency in a particular form, the agency must take reasonable steps to give the person a copy in that form. Note Person includes a reference to a corporation as well as an individual (see Legislation Act, s 160). 2 TPP 2—anonymity and pseudonymity 2.1 Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with a public sector agency in relation to a particular matter. 2.2 TPP 2.1 does not apply if, in relation to the matter— (a) the public sector agency is required or authorised by or under an Australian law, or a court or tribunal order, to deal with individuals who have identified themselves; or (b) it is impracticable for the public sector agency to deal with individuals who have not identified themselves or who have used a pseudonym. Schedule 1 Territory privacy principles Part 1.2 Collection of personal information Section 3 page 48 Information Privacy Act 2014 Effective: 16/12/25 R13 16/12/25 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au Part 1.2 Collection of personal information 3 TPP 3—collection of solicited personal information Personal information other than sensitive information 3.1 A public sector agency must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities. Note The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 3, s 3.2). Sensitive information 3.3 A public sector agency must not collect sensitive information about an individual unless— (a) the individual consents to the collection of the information and the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities; or (b) TPP 3.4 applies in relation to the information. Note The equivalent provision in the Commonwealth APPs also applies to certain private sector entities (see Commonwealth APP 3, s 3.3 (a) (ii)). 3.4 This subsection applies in relation to sensitive information about an individual if— (a) the collection of the information is required or authorised by or under an Australian law or a court or tribunal order; or Territory privacy principles Schedule 1 Collection of personal information Part 1.2 Section 3 R13 16/12/25 Information Privacy Act 2014 Effective: 16/12/25 page 49 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au (b) a permitted general situation exists in relation to the collection of the information by the public sector agency; or Note The equivalent provision in the Commonwealth APPs includes a provision applying to certain private sector entities (see Commonwealth APP 3, s 3.4 (c)). (d) the public sector agency is an enforcement body and the agency reasonably believes that the collection of the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities. Note The equivalent provision in the Commonwealth APPs includes a provision applying to— • the Commonwealth Immigration Department (see Commonwealth APP 3, s 3.4 (d) (i)); and • non-profit organisations (see Commonwealth APP 3, s 3.4 (e)). Means of collection 3.5 A public sector agency must collect personal information only by lawful and fair means. 3.6 A public sector agency must collect personal information about an individual only from the individual unless— (a) either— (i) the individual consents to the collection of the information from someone other than the individual; or (ii) the agency is required or authorised by or under an Australian law, or a court or tribunal order, to collect the information from someone other than the individual; or (b) it is unreasonable or impracticable to do so. Note The equivalent provision in the Commonwealth APPs applies, in part, to certain private sector entities. Schedule 1 Territory privacy principles Part 1.2 Collection of personal information Section 4 page 50 Information Privacy Act 2014 Effective: 16/12/25 R13 16/12/25 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au Solicited personal information 3.7 TPP 3 applies to the collection of personal information that is solicited by a public sector agency. 4 TPP 4—dealing with unsolicited personal information 4.1 If— (a) a public sector agency receives personal information; and (b) the agency did not solicit the information; the agency must, within a reasonable period after receiving the information, decide whether or not the agency could have collected the information under TPP 3 if the agency had solicited the information. 4.2 The public sector agency may use or disclose the personal information for the purposes of making the decision under TPP 4.1. 4.3 If— (a) the public sector agency decides that the agency could not have collected the personal information; and (b) the information is not contained in a territory record; the agency must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified. 4.4 If TPP 4.3 does not apply in relation to the personal information, TPPs 5 to 13 apply in relation to the information as if the agency had collected the information under TPP 3. Territory privacy principles Schedule 1 Collection of personal information Part 1.2 Section 5 R13 16/12/25 Information Privacy Act 2014 Effective: 16/12/25 page 51 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au 5 TPP 5—notification of the collection of personal information 5.1 At or before the time or, if that is not practicable, as soon as practicable after, a public sector agency collects personal information about an individual, the agency must take reasonable steps— (a) to notify the individual of the matters mentioned in TPP 5.2 that are reasonable in the circumstances; or (b) to otherwise ensure that the individual is aware of those matters. 5.2 The matters for TPP 5.1 are as follows: (a) the identity and contact details of the public sector agency; (b) if— (i) the public sector agency collects the personal information from someone other than the individual; or (ii) the individual may not be aware that the public sector agency has collected the personal information; the fact that the agency collects, or has collected, the information and the circumstances of that collection; (c) if the collection of the personal information is required or authorised by or under an Australian law, or a court or tribunal order—the fact that the collection is required or authorised (including the name of the Australian law, or details of the court or tribunal order, that requires or authorises the collection); (d) the purposes for which the public sector agency collects the personal information; (e) the main consequences (if any) for the individual if all or some of the personal information is not collected by the public sector agency; Schedule 1 Territory privacy principles Part 1.2 Collection of personal information Section 5 page 52 Information Privacy Act 2014 Effective: 16/12/25 R13 16/12/25 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au (f) any other public sector agency or entity, or the kinds of any other public sector agencies or entities, to which the public sector agency usually discloses personal information of the kind collected by the agency; (g) that the TPP privacy policy of the public sector agency contains information about how the individual may access the personal information about the individual that is held by the agency and seek the correction of the information; (h) that the TPP privacy policy of the public sector agency contains information about how the individual may complain about a breach of the TPPs, or any TPP code that binds the agency, and how the agency will deal with the complaint; (i) whether the public sector agency is likely to disclose the personal information to overseas recipients; (j) if the public sector agency is likely to disclose the personal information to overseas recipients—the countries in which the recipients are likely to be located if it is practicable to state those countries in the notification or to otherwise make the individual aware of them. Territory privacy principles Schedule 1 Dealing with personal information Part 1.3 Section 6 R13 16/12/25 Information Privacy Act 2014 Effective: 16/12/25 page 53 Authorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au Part 1.3 Dealing with personal information