16 May 2016

Privacy Awareness Week day 1 – collection of personal information

This week is Privacy Awareness Week. As an official partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, Cooper Grace Ward will be publishing a series of articles.

Are you aware of your obligations under the Privacy Act and the Australian Privacy Principles (APPs)? Does your business have appropriate processes to manage the handling of personal information?

This week is Privacy Awareness Week. As an official partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, Cooper Grace Ward will be publishing a series of articles that relate to:

  • how your business can collect personal information;
  • how your business can engage in direct marketing;
  • how your business should handle requests to access and correct personal information;
  • the importance of a social media policy; and
  • how your business can organise internal privacy awareness and training.

Collecting personal information

Under APP 3, your business can only collect personal information if it is reasonably necessary for one or more of your business’ functions or activities. However, if that personal information is sensitive information, your business generally cannot collect it unless the individual has consented to the collection.

The term ‘collection’ is broad and encompasses gathering, acquiring or obtaining information from any number of sources, including:

  • the individual themselves;
  • other businesses;
  • public documents;
  • surveillance cameras; and
  • online web browsing tools such as cookies, embedded scripts, and device identifiers.

What is reasonably necessary for your business functions and activities?

There are many reasons why your business may seek to collect personal information. For example, collection of personal information may allow your business to:

  • inform customers about new products or services;
  • advertise and promote surveys and competitions;
  • complete customer transactions; and
  • respond to customer complaints and other inquiries.

As a general rule, the collection of personal information will be ‘reasonably necessary’ if your business cannot perform effectively or pursue business functions and activities without collecting that personal information.

Before collecting personal information for use in a function or activity, it is always worth considering whether a reasonable alternative exists.

What is sensitive information?

Sensitive information includes information about an individual’s:

  • health;
  • racial or ethnic origin;
  • political opinions or membership of a political association;
  • religious beliefs or affiliations;
  • membership of a professional or trade association or trade union;
  • sexual orientation or practices; or
  • criminal record.

If your business seeks to collect any sensitive information about an individual then, in most cases, the individual’s consent must be obtained before the collection.

Notification of collection

Under APP 5, your business is also required to notify the individual about the collection as soon as practicable after the personal information is collected.

Matters that should be notified to the individual can include:

  • the identity and contact details of your business;
  • the purposes for which the personal information has been collected;
  • whether the business will disclose personal information to a third party or to overseas recipients;
  • the consequences for the individual if the personal information is not collected; and
  • that your privacy policy contains information about how the individual may access personal information and complain about a breach of the APPs.

Your business can notify individuals of the collection of their information by incorporating a privacy notification statement that outlines all of the mandatory matters into application forms, client agreements, terms of trade or at the point of sale.

Why does it matter?

Failure to comply with the APPs may lead to penalties of up to $1.7 million (for corporations) and up to $340,000 (for individuals) if they seriously or repeatedly interfere with a person’s privacy.

For more information on Privacy Awareness Week, see the Office of the Australian Information Commissioner’s website.

We can work with you to navigate through a wide range of privacy matters. If you would like further information about any privacy issues, please contact a member of our privacy team.

Like this article? Share it via:

This publication is for information only and is not legal advice. You should obtain advice that is specific to your circumstances and not rely on this publication as legal advice. If there are any issues you would like us to advise you on arising from this publication, please let us know.

Stay up to date with CGW

Subscribe to our interest lists to receive legal alerts, articles, event invitations and offers.

Key contacts

Charles-Sweeney-web
Charles Sweeney
Managing Partner
Carly-Ashwood-web
Carly Ashwood
Special Counsel

Areas of expertise

Read next