Rules for when people collect information about you
Overview
When can an organisation collect my personal information?
Privacy Act 2020, s 22, information privacy principle 1
A government agency, business or other organisation can only collect information about you if:
- they’re doing this for a lawful purpose that’s connected with their functions or activities, and
- collecting the information is necessary for that purpose.
This means that if an organisation does not need your personal information to achieve something closely linked to their activities, they should not ask for your personal information. For example, if a school enrolment form asks parents to state their occupations, the school must be able to show that it needs this information to carry out its lawful purpose.
Who can organisations collect personal information from?
Privacy Act 2020, s 22, information privacy principle 2
When an organisation collects information about you, they must collect it directly from you, rather than from someone else, unless they believe on reasonable grounds that:
- collecting it from someone else wouldn’t be detrimental to you in any way,
- collecting it from you directly would undermine the purposes of collecting the information,
- you’ve given them permission to collect the information from someone else,
- the information is already publicly available,
- collecting it from someone else is necessary to enforce the law, or to protect government revenue, or for any court or tribunal proceedings,
- collecting it from someone else is necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of someone else,
- it’s not reasonably practicable to collect it directly from you in this particular case, or
- the information won’t be used in a way that identifies you (for example, this includes if the information will be used for statistical or research purposes and won’t be published in a way that could identify the individual concerned).
Note: The Privacy Commissioner can authorise an organisation to depart from the rules in the Privacy Act for collecting, using or disclosing information if this would be in the public interest or if there would be a clear benefit to the individuals involved.
In general, information that’s about you should be collected from you. This is because you’re usually in the best position to give accurate information. For example, if you’re applying for a job and the employer wants to get references about you, the employer must get you to nominate referees and get your permission to talk to them.
If the referee wants their comments about you to be kept between the employer and the referee, and not made available to you, then the referee and employer can agree to consider it as “evaluative” material. This will allow them both to refuse to give you the contents of the reference.
What information should I be given when my information is collected?
Privacy Act 2020, s 22, information privacy principle 3
In general, organisations should tell you if they are collecting information that relates to you. When an organisation collects your information directly from you, it must take reasonable steps to make you aware of:
- the fact that the information is being collected,
- the reason that it’s being collected,
- who will be given the information,
- the organisation’s name and address, and the name and address of any other organisation that will be holding the information,
- any particular law that governs the collection of the information, and whether that law requires you to provide the information,
- any consequences for you if you don’t provide the information, and
- your right to have access to the information after it’s been collected, and to ask for it to be corrected if it’s wrong (see: “How you can access your information and correct it if necessary”).
Note: These things should be explained to you before the information is collected or as soon as practicable after the information is collected. However, an agency doesn’t have to explain these things if it has already done so when it collected similar information, from the same individual, on a recent occasion.
The organisation collecting the information from you doesn’t have to comply with those requirements if it believes, on reasonable grounds, that:
- your interests wouldn’t be affected,
- not complying with those requirements is necessary to enforce the law, or to protect government revenue, or for any court proceedings,
- complying would undermine the purpose of collecting the information,
- it’s not reasonably practical to comply in this particular case, or
- the information won’t be used in a way that identifies you (for example, this includes if the information will be used for statistical or research purposes and won’t be published in a way that could identify the individual concerned).
What methods can agencies use to collect my information?
Your information must be collected by methods that are legal, fair, and that don’t intrude unreasonably on your personal affairs.
For example, a private investigator who lied about their identity and intentions in order to find out information for an insurance company would be using an unfair means of collecting information.