Australian Privacy Principle 4 - Dealing with Unsolicited Personal Information
4.1 If an organisation receives personal information which it did not solicit, it must determine whether it is information that it could have collected under APP 3. See APP 3, above, for further details.
4.2 The organisation can use or disclose the information for purposes of making this determination.
4.3 If the answer to 4.1 is ‘no’, then the organisation must destroy or de-identify that information as long it is lawful and reasonable to do so. If the answer is ‘yes’ then the organisation need not destroy or de-identify it, but must handle it in accordance with the Act....
ORDER FOR FULL TEXT.