This a brief summary of the principles. The full text of the principles are contained in Schedule 1 of the Personal Information Protection Act 2004.

1. Collection – An organisation can only collect personal information if it is necessary to fulfil the organisation’s functions.
2. Use and disclosure - Personal information should be used and disclosed for the primary purpose for which it was collected unless it is for a secondary purpose that the client would reasonably expect, or for which they have given consent. The law also allows some uses and disclosures without consent, such as to protect safety.
3. Data quality - Organisations must ensure the personal information is accurate, complete and up to date before it is used.
4. Data security - Personal information must be protected from misuse, loss and unauthorised access, modification or disclosure.
5. Openness - Organisations must have clearly expressed policies on the way they manage personal information. A client can ask to see the policy.
6. Access and correction - Clients have a right to seek access to their own personal information and to seek corrections if necessary. Access and correction processes will be in accordance with the Freedom of Information Act 1981.
7. Unique identifiers - Unique identifiers can be used for data matching only under certain conditions.
8. Anonymity - Where lawful and feasible, clients should have the option of transacting with an organisation without identifying themselves.
9. Disclosure of information outside Tasmania - If personal information travels outside Tasmania, the privacy protection should travel with it.
10. Sensitive information - There are special restrictions on information such as health, racial origin, religious beliefs, political views, criminal records.