5.1 An organisation that collects personal information is to take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. Reasonable steps must be taken at or before the time of collection, or as soon as practicable afterwards. This applies whether the information was acquired through solicitation or not (unless the information is destroyed or de-identified).

 

An organisation must take reasonable steps to give the notification. The OAIC’s policy is that what steps are reasonable must be determined on the circumstances. This includes the sensitivity of the information, the possible adverse consequences for an individual of the collection, special needs of the individual and, excessive impracticability, including the time and expense involved. Mere inconvenience is not an excuse.

 

By implication it may sometimes be unreasonable to require notification. The organisation must justify any inaction. One example provided by the OAIC is where notification may jeopardise the purpose of collection or the integrity of the personal information collected and there is a clear public interest in the purpose of collection. Another is if notification would somehow breach another law.

 

5.2 The matters that an individual must be notified of include those which in the following list are reasonable to expect:

​

• The organisation’s identity and contact details

• Unless the individual should know, the fact that the organisation collects, or has collected, the information, and the circumstances of that collection.

• Any law requiring the collection of the information.

• The purpose of collection.

• The main consequences for the individual of not collecting the information.

• Any other party to which the organisation usually discloses personal information of the relevant kind.

• That the organisation’s privacy policy states how the individual may access the information, and how they may complain about any breach of privacy law.

​