"Personal information" means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
1.1 LHM must:
(a) only collect personal information that is necessary for its functions or activities.
(b) use fair and lawful ways to collect personal information, and not be unreasonably intrusive.
(c) collect personal information directly from the individual where reasonable and practicable to do so.
1.2 At the time LHM collects personal information (or as soon as possible thereafter), it must take reasonable steps to make an individual aware of:
(a) the identity of LHM and how to contact it;
(b) the fact that they are able to obtain access to their personal information;
(c) the purposes for which the information is collected;
(d) the types of organisations to which LHM would usually disclose the information;
(e) any law that requires the information to be collected; and
(f) the main consequences (if any) for the individual if the information is not provided.
1.3 LHM must also take reasonable steps to ensure the individual is aware of this information even if the information is collected from a third party.
2.1 LHM must only use or disclose personal information for the primary purpose of collection unless:
(a) the individual has consented to the use or disclosure;
(b) the secondary purpose is related to the primary purpose and the individual would reasonably expect LHM to use or disclose the information for that secondary purpose;
(c) the information is not sensitive information and LHM wishes to use the information for direct marketing purposes, provided that certain requirements are satisfied; or
(d) public health or safety reasons.
2.2 We recommend LHM does not use or disclose personal information for direct marketing without obtaining further advice on the legal requirements, unless it first obtains consent from the relevant individual(s).
3. DATA QUALITY & SECURITY (NPP 3 & 4)
3.1 LHM must take reasonable steps to
(a) ensure the personal information LHM collects, uses or discloses is accurate, complete and up-to-date.
(b) protect the personal information LHM holds from misuse and loss and from unauthorised access, modification or disclosure.
(c) destroy or permanently de-identify personal information if it no longer needs it for any purpose for which it may use or disclose the information.
4. PRIVACY STATEMENT (NPP 5)
4.1 LHM must have a short document that sets out clearly expressed policies on the way it manages personal information, and make this document available to any person that asks for it.
5. ACCESS & CORRECTION (NPP 6)
5.1 If an individual asks, LHM must provide them with access to the personal information it hold about them, unless particular circumstances apply to limit the extent to which access is required, for example if:
(a) providing access would have an unreasonable impact upon the privacy of other individuals; or
(b) the request for access is frivolous or vexatious; or
(c) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings.
5.2 If an individual is able to establish that the information is not accurate, complete and up to date, LHM must take reasonable steps to correct the information so that it is accurate, complete and up to date. If the individual and LHM disagree about whether the information is accurate, complete and up to date, LHM must take reasonable steps, upon request, to associate with the information a statement claiming that the information is not accurate, complete or up to date.
5.3 LHM must provide reasons for denial of access or a refusal to correct personal information.
6. IDENTIFIERS (NPP 7)
6.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by a Commonwealth agency, unless particular circumstances apply to allow you to do so.
7. ANONYMITY (NPP 8)
7.1 Wherever it is lawful and practicable, LHM must give individuals the option of not identifying themselves when entering transactions with LHM.
8. TRANSBORDER DATA FLOWS (NPP 9)
8.1 LHM must not transfer personal information about an individual overseas unless the specified criteria are met, for example where:
(a) LHM reasonably believes that the recipient is subject to a law or binding contract which imposes obligations substantially similar to the National Privacy Principles; or
(b) the individual consents to the transfer; or
(c) LHM has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
9. SENSITIVE INFORMATION (NPP 10)
9.1 LHM must not collect sensitive information about an individual unless specified criteria are met, including but not limited to where:
(a) the individual has consented; or
(b) the collection is required by law.