Current coverage by IPPs and NPPs

21.3 Significantly, neither the Information Privacy Principles (IPPs) nor the National Privacy Principles (NPPs) require that an individual give his or her consent before an agency or organisation is permitted to collect the individual’s personal information. There is, however, a general prohibition, subject to a finite list of exceptions, against the collection of sensitive information by organisations. One of these exceptions is where the individual consents to the collection.[1]

21.4 IPPs 1–3 deal with the collection of personal information by government agencies. IPP 1 provides that personal information shall not be collected for inclusion in a ‘record’ or in a ‘generally available publication’ unless: (a) the purpose for which the information is collected is lawful and directly related to a function or activity of the collector; and (b) the collection is necessary for, or directly related to, that purpose. The Office of the Privacy Commissioner (OPC) has expressed the view that ‘purpose of collection’ is to be interpreted narrowly, and that agencies should have a clear purpose for collecting each piece of personal information. It is not generally acceptable for an agency to collect information just because it may be useful in the future.[2] In addition, IPP 1 provides that personal information is not to be collected by unlawful or unfair means.

21.5 IPPs 2 and 3 cover ‘solicitation’ of personal information. IPP 2 provides that where an agency solicits personal information directly from the individual concerned for inclusion in a record or a generally available publication, the agency must take reasonable steps to ensure that, before or soon after the information is collected, the individual is generally aware of:

  • the purpose for which the information is being collected;

  • if applicable, the fact that the collection is authorised or required by law; and

  • to whom it is the agency’s usual practice to disclose or pass on personal information of the kind collected.

21.6 The Explanatory Memorandum notes that there would be circumstances in which an agency would not need to take any steps to ensure that the individual was aware of the matters specified in IPP 2 when soliciting personal information from that person.[3]

21.7 IPP 3 provides that where an agency solicits personal information for inclusion in a record or in a generally available publication, it must take reasonable steps, having regard to the purpose for which the information is collected, to ensure that the:

  • information is relevant to that purpose, up-to-date and complete; and

  • collection does not intrude unreasonably on the individual’s personal affairs.

21.8 This principle is limited to personal information solicited from the individual and from third parties. It does not extend to information received without solicitation by the agency.[4]

21.9 NPP 1 provides that an organisation may only collect personal information:

  • that is necessary for one or more of its functions or activities;

  • by lawful and fair means and not in an unreasonably intrusive manner;

  • after taking reasonable steps to ensure the individual is aware of: the organisation’s identity and contact details; the fact that he or she can access the information; the purposes of collection; the organisationsto which the organisation usually discloses information of that kind; any law requiring the particular information to be collected; and the main consequences for the individual if the information is not provided; and

  • from the individual to whom the information relates if it is reasonable and practicable to do so, or from someone else if it takes reasonable steps to ensure that the individual is aware of the matters listed above, except to the extent that making the individual aware would pose a serious threat to anyone’s life or health.

21.10 Further restrictions apply to the collection of sensitive information. These are set out in NPP 10, and discussed separately in Chapter 22.[5]

[1]Privacy Act 1988 (Cth) sch 3, NPP 10.1(a).

[2] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994).

[3] See Explanatory Memorandum, Privacy Bill 1988 (Cth), [61].

[4] Ibid, [63].

[5] ‘Sensitive information’, which is a subset of personal information, is defined in s 6(1) of the Privacy Act.