Insights / July 28th, 2020

Can I Collect That?

The Australian Privacy Principles (‘APPs’) limit how personal information can be collected. Collecting personal information outside these limits can result in significant penalties and undermine a business’s relationship with customers and their reputation within the market.

Generally, one of the first privacy obligations triggered by businesses is the requirement to collect and manage personal information in an open and transparent way. But how can this standard be met?

Collecting Personal Information

Australian (and international) privacy laws require a minimalist approach to data collection. In other words, businesses may only collect the information that is reasonably necessary for their business activities. This requires ongoing consideration of what is reasonably necessary for day-to-day operations and the purposes of collection.

For example, an online bookstore needs to collect contact and address details to ship books to their customers. This information is reasonably necessary for the operation of the business as they cannot deliver their books without it. If the online store started collecting information such as job titles, employment status and dates of birth, this would be beyond what is reasonably necessary.

Collection of unnecessary personal information can amount to a breach of the APPs and the Privacy Act 1988 (Cth) and potentially result in penalties.

Notifying Individuals

All businesses must notify individuals that they are collecting their personal information at the time it is collected. All collection practices must be lawful, and consent sought prior to the information being collected.

A customer notification must meet the standards set in the APPs. This includes telling individuals: why the personal information is collected, if the information will be provided to another entity, and about their rights to complain or inquire about the information collected.

In the same way as collecting excesses or unnecessary personal information, failing to notify consumers when you are collecting their personal information may result in penalties.

Compliance Tips

The simplest way to comply with many of the privacy obligations in Australian law is to have a robust and comprehensive privacy policy and compliance plan in place that sets out:

  • how your business collects and manages personal information;
  • why you collect and use personal information;
  • the rights individuals have regarding the information you collect; and
  • what to do if a data breach occurs or you receive a complaint.

The practices set out in your privacy policy and compliance plan must also be followed and frequently reviewed to ensure your compliance with privacy laws. It is not sufficient to simply have a privacy policy and information handling policy in place - it must be followed and implemented.

If you have any queries regarding your privacy obligations or wish to discuss privacy law, data protection and your business, contact us and our consumer protection and privacy law experts can assist you.

This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.