Skip to main content

Human Rights: On the record: Appendix 2

On the record

Appendix 2 – Summary of National Privacy Principles relevant to criminal record information

Summary of National Privacy Principles obligations under the Privacy Act relevant to criminal record information.

1. Collection

An organisation covered by the Privacy Act must only collect necessary criminal record information (for example, this should be information relevant to the job in question) and must collect it fairly and lawfully.

2. Use and disclosure

An organisation covered by the Privacy Act must only use or disclose criminal record information in ways that are related to the primary reason for collecting the information and which individuals would reasonably expect to happen, or with the consent of the individual to the use or disclosure. For example, an employer may use or disclose personal information to protect the health and safety of any person, or if they think that an unlawful activity has occurred, and the use of the disclosure is a necessary part of investigation or reporting the unlawful activity.  

3. Data quality

An organisation covered by the Privacy Act must take reasonable steps to check that the criminal record information is of sufficient quality – accurate, complete and up-to-date – for the purpose. For example, this may mean asking the job applicant to verify the details on a police record check.

4. Data security

An organisation covered by the Privacy Act must keep criminal record information safe when it is in use and dispose of it securely when the organisation is finished with it. For example, relevant criminal record information collected from job applicants may need to be disposed of as soon as the job applicant is unsuccessful in gaining the job, unless it is needed for future applications and the job applicant consents to this.

5. Openness

An organisation covered by the Privacy Act must have a written policy outlining how the organisation manages personal information. On request, the organisation must provide a copy of the policy.

6. Access and correction

An organisation covered by the Privacy Act must give individuals access to all the criminal record information they hold about them unless one of the exceptions under NPP6.1 applies. It should also take steps to correct the information if it is wrong or give the individual reasons why it cannot be corrected. If an individual asks for correction of the information, a statement should be attached saying the individual disagrees with the information.

9. Transborder data flows

Where there may be a need for an organisation covered by the Privacy Act to transfer criminal record information overseas, NPP 9 prevents an organisation from disclosing personal information to someone in a foreign country that is not subject to a comparable information privacy scheme, except where it has the individual’s consent or in some other limited circumstance.

10. Sensitive information

Criminal record information is sensitive information for the purposes of the NPPs. With some specified exemptions under NPP 10.1, such as if required by law, NPP 10 prohibits the collection of sensitive information about an individual unless the individual has consented first.


<< Appendix 1 | Appendix 2 | Useful Contacts >>