2.1 An agency or organisation must not collect personal information unless it is necessary for one or more of its functions or activities.
2.2 An agency or organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
2.3 If it is reasonable and practicable to do so, an agency or organisation must collect personal information about an individual only from that individual.
2.4 If an agency or organisation receives unsolicited personal information about an individual from someone else, it must either:
(a) if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or
(b) comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had actively collected the information.
2.5 In addition to the other requirements in UPP 2, an agency or organisation must not collect sensitive information about an individual unless:
(a) the individual has consented;
(b) the collection is required or authorised by or under law;
(c) the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual to whom the information concerns is legally or physically incapable of giving or communicating consent;
(d) if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:
(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities; and
(ii) at or before the time of collecting the information, the organisation undertakes to the individual to whom the information concerns that the organisation will not disclose the information without the individual’s consent;
(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim;
(f) the collection is necessary for research and all of the following conditions are met:
(i) the purpose cannot be served by the collection of information that does not identify the individual or from which the individual would not be reasonably identifiable;
(ii) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the collection;
(iii) a Human Research Ethics Committee that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), as in force from time to time, has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act; and
(iv) the information is collected in accordance with Research Rules issued by the Privacy Commissioner; or
(g) the collection is necessary for the purpose of a confidential alternative dispute resolution process.
2.6 Where an agency or organisation collects sensitive information about an individual in accordance with 2.5(f), it must take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.
Note: Agencies and organisations that collect personal information about an individual from an individual or from someone else must comply with UPP 3.