Table of Contents Table of Contents
Previous Page  123 / 192 Next Page
Show Menu
Previous Page 123 / 192 Next Page
Page Background

Chapter 9

Data Protection Principle 5

The main questions:

• What are the general requirements under DPP5?

• How can a data user’s privacy policy and practices be made generally available?

• What information is recommended to be made generally available?

The questions of a data user making information generally available as discussed in this

Chapter concerning DPP5 have been selected on the basis of their practical importance in

light of the Commissioner’s own experience. Before reading this Chapter, readers should read

paragraphs 1.7 to 1.11 in Chapter 1 —

Introduction, which contain important general

information on using this Book.

The General Requirements of DPP5


Data Protection Principle 5 provides as follows:

Principle 5 – information to be generally available

All practicable steps shall be taken to ensure that a person can –

(a) ascertain a data user’s policies and practices in relation to personal data;

(b) be informed of the kind of personal data held by a data user;

(c) be informed of the main purposes for which personal data held by a data user is or is to

be used.


Although the obligation imposed under DPP5 is not an absolute one as it only requires a

data user to take all reasonably practicable steps to comply with it, the Commissioner

regards it as being of absolute importance for a data user who engages in acts or

practices that involve regular collection of personal data in the course of its business or

performance of its activities or functions to make known and be transparent about its

personal data policies and practices. Good governance dictates that organisational

data users, such as government departments or corporations, take heed of the

increasing public concern that data subjects’ personal data privacy should be properly

protected under a set of privacy policies and practices that is made generally available.

In AAB No. 15/2000, the AAB upheld the Commissioner’s decision to issue an

enforcement notice against a regulatory body whose daily operation involves the

collection of sensitive personal data from the general public for failing to implement a