Misuse of personal information
Personal information is any information or opinion about an identifiable person. This could include:
- written records about a person
- a photograph or image of a person
- fingerprints or DNA samples that identify a person
- information about a person that is not written down, but which is in the possession or control of the agency.
There are some exemptions from the definition of personal information. For example:
- personal information does not include information about a person who has been dead for 30 or more years
- personal information does not include various classes of information used for specific purposes or in specific contexts
Data Proteciton Principles
Collection
1. Lawful – when people/companies collects your personal information, the information must be collected for a lawful purpose. It must also be directly related to the activities and necessary for that purpose.
2. Direct – your information must be collected directly from you, unless you have given your consent otherwise. Parents and guardians can give consent for minors.
3. Open – you must be informed that the information is being collected, why it is being collected and who will be storing and using it. People/companies should also tell you how you can see and correct this information.
4. Relevant – people/companies must ensure that the information is relevant, accurate, up-to-date and not excessive. The collection should not unreasonably intrude into your personal affairs.
Storage
5. Secure – your information must be stored securely, not kept any longer than necessary, and disposed of appropriately. It should be protected from unauthorised access, use or disclosure.
Access
6. Transparent – people/companies must provide you with enough details about what personal information they are storing, why they are storing it and what rights you have to access it.
7. Accessible – people/companies must allow you to access your personal information without unreasonable delay and expense.
8. Correct – people/companies must allow you to update, correct or amend your personal information where necessary.
Use
9. Accurate – people/companies must make sure that your information is accurate before using it.
10. Limited – people/companies can only use your information for the purpose for which it was collected, for a directly related purpose, or for a purpose to which you have given your consent. It can also be used without your consent in order to deal with a serious and imminent threat to any person’s health or safety.
Disclosure
11. Restricted – people/companies can only disclose your information with your consent or if you were told at the time they collected it from you that they would do so. People can also disclose your information if it is for a related purpose and they don’t think that you would object. Your information can also be used without your consent in order to deal with a serious and imminent threat to any person’s health or safety.
12. Safeguarded – people/companies cannot disclose your sensitive personal information without your consent, for example information about your ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities or trade union membership. It can only disclose sensitive information without your consent in order to deal with a serious and imminent threat to any person’s health or safety.