Privacy Law

Australian Privacy Principle 3 - Collection of Solicited Personal Information

Collecting information, for purposes of the Act, is when information is gathered, acquired or obtained for inclusion in a record or publication. The information can come from any source, by any means.

 

Soliciting of information is, for purposes of the Act, when an organisation requests information from an individual or a third party about the individual. The individual may or may not be involved at all. It can then be collected – that is, acquired and placed on record.

 

Personal information other than sensitive information

3.1-3.2   An organisation must not collect personal information (other than sensitive information) unless it is reasonably necessary for, or directly related to, one or more organisation functions or activities. Therefore collecting information  that will not be used is disallowed.

 

Sensitive Information

3.3 If the information sought is sensitive information, an organisation must not solicit it fro many source unless the individual consents to the collection of the information and the information is reasonably necessary for one or more organisation functions or activities; or if any of a few special situations apply, such as:

  • If the information is required or authorised by law or a court order;

  • If he collection of the information is reasonably necessary for, or directly related to, one or more of the organisation’s functions or activities; or

  • a applies, such as where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or confidential alternative dispute resolution.

Means of collection

3.4 An organisation can only collect personal information by lawful and fair means. A fair means is defined as ‘one that does not involve intimidation or deception, and is not unreasonably intrusive.’[1] The OAIC stated, by way of example, that obtaining information covertly is unfair, unless it is done for purposes of fraud detection.[2]

 

3.5 An organisation must collect personal information about an individual only from the individual unless it is unreasonable or impracticable to do so. There is no law giving further detail, but the OAIC’s policy is that what is reasonable and practicable depends on:

  • whether the individual would reasonably expect personal information about them to be collected directly from them

  • the sensitivity of the information

  • whether direct collection would jeopardise the purpose of collection or the integrity of the information

  • any privacy risk

  • excessive time, cost and inconvenience involved in collecting directly from the individual, as judged from all the circumstances.

 

 

[1] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 77 , as stated in Australian Privacy Principles Guidelines, Privacy Act 1988, Office of the Australian Information Commissioner, Canberra, 2015, p14.

[2] Australian Privacy Principles Guidelines, op cit 2.