4.1 If an organisation receives personal information which it did not solicit, it must determine whether it is information that it could have collected under APP 3. See APP 3, above, for further details.

 

4.2 The organisation can use or disclose the information for purposes of making this determination.

 

4.3 If the answer to 4.1 is ‘no’, then the organisation must destroy or de-identify that information as long it is lawful and reasonable to do so. If the answer is ‘yes’ then the organisation need not destroy or de-identify it, but must handle it in accordance with the Act.

 

Destruction or de-identification is unlawful in some circumstances. The Act does not define what is unlawful, but it is a reference to obligations such as:

​

• Reporting a crime;

• Not interfering with evidence of a crime;

• ISP’s obligation to keep meta data for two years.

 

Examples of unsolicited personal information include misdirected mail, petitions containing contact details, and information given in addition to what is requested, or information given casually by private individuals such as customers or friends of employees.