There is no limit to the sources from which information may be obtained to qualify as collection. However, an organisation is said to collect personal information only if it gathers, acquires or obtains the information for inclusion in a record or generally available publication. If the information is not recorded then collection has not occurred. Therefore merely coming by personal information in a media article is not collection, unless it is saved or filed for later, and being told something verbally is not collection unless notes are taken at some stage, or a recording is made.
An organisation is said to hold personal information about a person if it has possession or control of a record of it. It includes instances where there is no physical possession, but only a legal right to control it.
To de-identify information is to take any record of personal information and remove or alter details so that the individual it is about can no longer be identified. This includes not only names, but information from which the individual can be identified.
An organisation is a private entity. The act also covers government bodies, which it calls agencies and applies slightly different rules, but we are not concerned with those. An organisation can be any of the following:
an individual (including a sole trader)
a body corporate
any other unincorporated association, or
The reference to ‘an individual (including a sole trader)’ is about people doing business in their individual capacity. There is no law against gossip and casual chatter!
Exclusion of Small Business Operators
Excluded from the definition of organisation are ‘small businesses operators’ and political parties. For purposes of the Act, a ‘small business operator’ is defined as an individual, body corporate, partnership, unincorporated association or trust that carries on one or more small businesses, each one having an annual turnover of $3million or less. If any business operation is greater than this, then an organisation are not a ‘small business operator.’ The word ‘business’ is not defined , but is used so as to refer to more than just commercial operations.
Exceptions to the Exclusion
Even if each of a business’ operations are small enough to be exempt from the Act, they are nevertheless not exempt if they involve:
providing a health service to an individual and holding health information,
disclosing personal information about another individual to anyone else for payment,
providing payment for the collection of personal information about another individual from anyone else,
is a contracted service provider to the Commonwealth,
is a credit reporting body.
where a special exception applies, such as a business choosing to be an (See sections 6E & 6EA).