Collection and notification

56.3 The ‘Collection’ principle in the model UPPs provides that an agency or organisation may only collect personal information:

  • that is necessary for one or more of its functions or activities;

  • by lawful and fair means and not in an unreasonably intrusive way; and

  • about an individual from that individual, if it is reasonable and practicable to do so.

56.4 The ‘Notification’ principle provides that, at or before the time an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take steps to notify the individual, or ensure that the individual is aware of, the:

  • fact and circumstances of collection, where the individual may not be aware that his or her personal information has been collected;

  • identity and contact details of the agency or organisation;

  • rights of access to, and correction of, personal information provided by the UPPs;

  • purposes for which the information is collected;

  • main consequences of not providing the information;

  • actual or types of organisations, agencies, entities or other persons to whom the agency or organisation usually discloses personal information;

  • fact that the avenues of complaint available to the individual are set out in the agency’s or organisation’s Privacy Policy; and

  • fact, where applicable, that the collection is required or authorised by or under law.

56.5 The provisions of Part IIIA of the Privacy Act depart significantly from these principles (and the equivalent NPP) in two relevant respects. First, s 18E of the Privacy Act sets out exhaustively the permitted content of credit information files held by credit reporting agencies.[2] No other personal information may be included in an individual’s credit information files, even if the information is ‘necessary’ in terms of the privacy principles.

56.6 Secondly, Part IIIA contains a specific notification obligation in that, under s 18E(8)(c), a credit provider must not give personal information relating to an individual to a credit reporting agency if ‘the credit provider did not, at the time of, or before, acquiring the information, inform the individual that the information might be disclosed to a credit reporting agency’.

56.7 Issues relating to the permitted content of credit reporting information and notification of the collection of credit reporting information are discussed below.

[2] The permitted content of credit information files is summarised in Ch 53.