05 May 2015

Privacy Awareness Week day 2 – dealing with unsolicited information

Have you ever found yourself the recipient of personal information without asking for it?

Have you ever found yourself the recipient of personal information without asking for it? For example:

  • misdirected mail;
  • emails accidentally copied to you;
  • employment applications sent to you that are not in response to an advertised vacancy; and
  • receiving more information from clients than you asked for (e.g. detailed financials).

If you have, it might be classified as unsolicited personal information under the Australian Privacy Principles (APPs). The APPs require certain steps to be taken when handling unsolicited personal information, including:

  • determining whether the information could have otherwise been collected;
  • destroying or de-identifying the information in certain circumstances; and
  • appropriately dealing with information.

Determine whether the unsolicited information could have been otherwise collected

The first step in dealing with unsolicited personal information is to determine whether you could have otherwise collected the personal information.

Under the APPs, you can generally only collect personal information if it is reasonably necessary for, or directly related to, one or more of your functions or activities. Further, if the information is sensitive information, you generally can only collect it if the individual concerned consents to the collection.

Dealing with unsolicited information personal information that could not have been collected

If you could not have otherwise collected the information, you have an obligation to destroy or de identify the information as soon as practicable, unless it is unlawful or unreasonable to do so.

  • It is lawful if the destruction or de-identification is not criminal, illegal or prohibited or proscribed by law. For example, it would be unlawful to destroy information where a legislative provision requires you to retain it for a specified purpose (i.e. auditing, inspection or reporting purposes).
  • Reasonableness is determined in the circumstances. Relevant considerations may include the amount and sensitivity of the information, whether it’s impractical to separate any comingled unsolicited from solicited information or whether an individual has expressly requested that you return the information to them.

Dealing with unsolicited personal information that could not have been collected and is not destroyed or de-identified

If you are not obliged to destroy or de-identify the unsolicited personal information, you may be able to retain the information, however you must do so in accordance with the APPs.

This means, for example, that:

  • a notice of collection under APP 5 may be required;
  • the security of the personal information must be protected; and
  • individuals must be able to request access to the personal information and request that you correct the personal information.

Why does it matter?

Failure to comply with the APPs may lead to penalties of up to $1.7 million (for corporations) and up to $340,000 (for individuals) if they seriously or repeatedly interfere with a person’s privacy.

If you find yourself in a position where you have received personal information without taking steps to collect it, we recommend you run through the above to determine how to deal with it. These tips are not exhaustive considerations and you should see APP 4 and the APP guidelines for more information.

The APPs also require you to act within a reasonable period after receiving the information, which will depend on the circumstances. In any event, you should make a decision promptly.

Privacy awareness week

This article was part of our series on handling personal information as part of Privacy Awareness Week. As a partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, this week Cooper Grace Ward will publish a series of articles relating to:

If you would like further information about how to deal with unsolicited information, or privacy issues generally, please contact one of our team.

Like this article? Share it via:

This publication is for information only and is not legal advice. You should obtain advice that is specific to your circumstances and not rely on this publication as legal advice. If there are any issues you would like us to advise you on arising from this publication, please let us know.

Stay up to date with CGW

Subscribe to our interest lists to receive legal alerts, articles, event invitations and offers.

Key contacts

Charles-Sweeney-web
Charles Sweeney
Managing Partner

Areas of expertise

Read next