In carrying on their activities many organisations collect personal information from a range of public sources. These include books, newspapers, magazines, websites, television, radio, telephone directories (hard copy and electronic), share registers, the register of births, deaths and marriages, ASIC company registers, company annual reports, the electoral roll, court records, National Personal Solvency Index, land titles registers, personal property registers, probate registers and registers of change of name.
This information sheet aims to give helpful and practical advice to organisations about how the Privacy Act 1988 (Cth) (the Privacy Act) applies to personal information that is publicly available. Much of the information and advice would also be relevant to Commonwealth Government agencies. It covers both where organisations collect information from public sources and also where organisations and Commonwealth Government agencies collect information to include in a generally available publication.
This information sheet assumes that the reader has knowledge of the National Privacy Principles in the Privacy Act and so does not spell out in detail what they say. The information sheet complements the Guidelines to the National Privacy Principles.
Although each question stands alone it will help the reader to understand the information if the questions are read in the order in which the paper sets them out.
The information sheet includes best practice tips. The Privacy Act does not require organisations to comply with these tips. Rather the tips aim to give organisations helpful information on good privacy practice in particular circumstances.
1. Does the Privacy Act apply to personal information that is publicly available?
Yes, the Privacy Act can apply to personal information that is publicly available if it is collected for inclusion in a record or a generally available publication or is held in a record (see section 16B).
For some examples of where the Privacy Act does not apply to publicly available personal information see Question 4.
Under the Privacy Act, publicly available personal information falls within the definition of personal information in section 6. Therefore an organisation that collects, uses, or discloses publicly available personal information, will need to consider whether, and if so, how, the NPPs apply to the way it handles this information. See Question 2 for more information about when the Privacy Act applies to personal information.
2. Does the Privacy Act apply to organisations collecting personal information to include in a generally available publication?
The Privacy Act applies when an organisation is collecting information for inclusion in either a record or a generally available publication (see section 16B(1)). This means it must comply with the collection principles (NPPs 1, 10 and 3) when it collects the information it intends to publish and holds the information in a record before the time of publication. All the NPPs apply to the personal information an organisation holds before it is published. Once the personal information is published, the NPPs will apply to any personal information that the publishing organisation continues to hold in a record even though the organisation no longer has any obligations in relation to that information in its published form.
3. Does the Privacy Act apply to an organisation in relation to personal information it has published in a generally available publication?
Once the personal information is published in a generally available publication the organisation publishing the information has no obligations under the Privacy Act in relation to the personal information in its published form (see section 16B(2)). However, the NPPs continue to apply to any personal information that the publishing organisation holds in a record.
4. Does the Privacy Act apply when an organisation simply buys a telephone directory or newspaper?
Where an organisation acquires personal information (for example, has a telephone book or newspaper in its possession) but does not collect it to include it either in a record or a generally available publication the Privacy Act does not apply. For example, the Privacy Act would not apply to information in a newspaper that is delivered to an organisation simply for the purpose of keeping its staff informed.
However, if the organisation takes information out of the newspaper and enters it onto its database of information, for example, about valued or potential customers, the Privacy Act would apply to the collection of the information because the organisation has included the information in a record.
5. Do the private sector amendments affect organisations that are also bound by the credit reporting provisions of the Privacy Act (Part IIIA)?
Since the private sector amendments to the Privacy Act came into effect, organisations that are also bound by the credit reporting provisions of the Privacy Act (Part IIIA) will need to consider what steps they might need to take when they collect information from public sources to comply with their obligations under the NPPs.
6. Can organisations collect personal information from public sources?
Yes, an organisation can collect personal information from public sources as long as:
- the collection of the personal information is necessary for its functions or activities (NPP 1.1);
- it collects the information by lawful and fair means (NPP 1.2);
- the collection is otherwise lawful, for example, does not contravene restrictions imposed by the Commonwealth Electoral Act 1918 (Cth);
- if sensitive information is collected, the individual has consented (expressly or by implication) or one of the other provisions in NPP 10 apply. See also the answer to Question 7.
Organisations thinking of collecting personal information from a public register (a list containing personal information that is required by law to be publicly available or open to public inspection), should be aware that some registers have limits set by law on what the personal information included in the register can be used for.
For example, the Corporations Act 2001 (Cth) section 177 prohibits any person from using information obtained from a company shareholder register to contact or send material to a shareholder (or to disclose a list of shareholders to someone else to do so) unless the use or disclosure is relevant to the holding of shares or the exercise of rights attached to them or is approved by the company concerned.
Similarly, the Commonwealth Electoral Act 1918 (Cth) (Electoral Act) section 91B prohibits a person from using for commercial purposes electoral roll information provided by the Australian Electoral Commission (Electoral Commission) in tape or disk format. The Electoral Act section 91A(2A) also prohibits a person (other than a Senator, member of the House of Representatives or political party) from disclosing electoral roll information provided by the Electoral Commission in tape or disk format unless the disclosure is in connection with an election or referendum or monitoring the accuracy of information contained in a roll or other prescribed purpose.
However, the Electoral Act does not place any restrictions on the way a person uses information from the electoral roll when the Electoral Commission has provided the information in print format.
7. Can an organisation collect sensitive information from public sources?
Yes, provided the individual has consented, expressly or by implication or one of the other public interest exceptions set out in NPP 10 applies.
An organisation wanting to collect sensitive information from public sources for example, books, newspapers, or magazines (for example, to develop a profile of an individual for employment or marketing or fundraising purposes) will generally need to consider whether the individual has consented, either expressly or by implication, to the collection.Tip for good privacy practiceWhere an organisation collects sensitive information from a public source on the basis of implied consent it should be careful that its expectations and understanding about what has been impliedly agreed to are the same as that of the individual. If an organisation has any doubt it would be prudent to seek the individual's express consent.
It may be possible to imply consent to the collection of sensitive information in circumstances where a person has consented to their information being published and is likely to understand the kinds of uses that are generally made of that information. Examples of this might be sensitive information collected from Who's Who or company annual reports. Another example might be where a high profile person agrees to be interviewed for a magazine or television show about a health issue affecting them.
It may also be possible to imply consent to collection of sensitive information from a newspaper where the person the information is about is a public figure and the information relates to the public life of that figure. However, this will depend on the circumstances and an organisation should not conclude that just because a person is a public figure that he or she is not entitled to privacy.
8. Does the Privacy Act stop organisations from collecting personal information from a public telephone directory or the electoral roll?
The Privacy Act will not generally stop organisations from collecting information from a public telephone directory or from the electoral roll (see also Question 6). However, the Electoral Act does place restrictions on the use and disclosure of electoral roll information provided by the Electoral Office in tape or disk format. There are no restrictions on use and disclosure of electoral roll information provided in print form.
The Privacy Act does not apply at all in the case of a telephone directory that sits on a desk or bookshelf and is used by the organisation simply to make telephone calls. This would also be the case if an organisation buys a telephone directory on a CD Rom and uses it as a stand alone directory to make phone calls.
Some of the NPPs do apply, however, once an organisation includes such information in a record (for example, in a document, or a database (however kept)) or in generally available publication. Which NPPs apply will depend on whether the information is included in a record or included in a generally available publication (see Question 2 and Question 3).Tips for good privacy practice:Organisations should not necessarily assume that individuals know, expect or welcome the range of organisations that collect personal information from public sources, or that they know, expect, or welcome, the uses that organisations may make of it. Research the Office of the Privacy Commissioner has conducted suggests that a significant proportion of members of the public may have concerns about the use of information in the telephone directory and electoral roll for marketing purposes.At the same time, organisations are entitled to take into account the general desirability of a free flow of information and the right of business to achieve its objectives in an efficient way.The Privacy Commissioner (the Commissioner) therefore encourages organisations to be careful about the way they handle this information and to take into account that individuals may not like an organisation collecting personal information about them and using it in a particular way. The best approach is for organisations to be open about their collection practices. This is particularly important where an organisation has collected information from the electoral roll and other public registers where the individual has no choice about whether or not the information is published.Organisations collecting personal information from a public source will often be collecting for the primary purpose of making contact with an individual and so are not required under the Privacy Act to give them the chance to opt-out under NPP 2.1(c) . However, it would nonetheless be good practice for organisations to give individuals a chance to opt out of receiving further communications stemming from such collection.
9. Does an organisation have to take reasonable steps to ensure an individual is aware of NPP 1.3 matters when it collects personal information about them from a public source?
NPP 1.5 states that:'If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in sub clause 1.3, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.'
NPP 1.5 applies to circumstances in which personal information is collected from someone other than the individual. In general this may include collection from a public source.
An organisation will therefore need to consider what are reasonable steps to make an individual aware that it has collected information about them, as well as other matters listed in NPP 1.3. For general information about matters to consider when deciding what are reasonable steps, including the limited circumstances where no steps might be reasonable, see [forthcoming] Information Sheet 18 ? 2003: Taking reasonable steps to make individuals aware that personal information about them is being collected.
10. If an organisation collects publicly available personal information and an individual asks about it, must an organisation make an individual aware of NPP 1.3 information?
Generally yes, because at the very least, in most cases, it would be a reasonable step under NPP 1.5 for an organisation to have available, if asked, information about:
- the fact that a person can get access to the information the organisation holds about him or her;
- the purposes for which it collects personal information;
- the organisations, or types of organisations, it usually discloses the information to;
- any law that requires the particular information to be collected; and
- the consequences (if any) for the individual if the information is not collected.
If an individual asks how the organisation got personal information about them and the organisation has collected the information from a public source, then NPP 5 would require the organisation to tell the individual that it collects personal information from public sources. See also Question 12.
The organisation could include the information outlined above in the privacy information it prepares for NPP 5 purposes.
11. In addition to responding to direct requests, how does an organisation decide if taking other steps would be reasonable under NPP 1.5?
There may be some circumstances where it would be reasonable to take no steps under NPP 1.5 to make an individual aware of NPP 1.3 information. These are discussed in general terms in [forthcoming] Information Sheet 18 - 2003: Taking reasonable steps to make individuals aware that personal information about them is being collected. However, where there are reasonable steps that an organisation can take, the Privacy Act makes it clear that an organisation must take them.
As a general guide, the greater the privacy consequences for the individual, the more likely it is to be reasonable, when balanced against other factors, for organisations to expend significant effort in satisfying its NPP 1.5 obligations when it collects information from public sources. (See Guidelines to the National Privacy Principles on NPP 1.4 and NPP 1.5). Examples of where there may be greater privacy consequences for an individual could include, depending on the circumstances, where the personal information is:
- sensitive information;
- to be combined with other information about the individual;
- to be used to make decisions detrimental to the individual, or contrary to their interests.
Few steps reasonable where collection and use reasonably expected .
Where most individuals would reasonably expect a particular collection and use from a public source, reasonable steps under NPP 1.5 would generally amount to providing, if asked, the information outlined in Question 10. For example:
- individuals would generally expect that information about their property (i.e. house and land) might be collected from public sources and used by valuers to assess the value of other people's property;
- a person receiving a public award is likely to be aware, and expect, that organisations may collect this information and use it to send letters of congratulation;
- public figures are likely to be aware of, and expect, a fairly wide range of
collections and uses of public information about themselves. For example, a
politician who has retired from politics would reasonably expect that a range of
organisations would collect that information and use it to update their records.
Tip for good privacy practiceOrganisations should take care when considering what people would
reasonably expect. Individuals may not necessarily expect unlimited collections
and uses of personal information just because it is publicly available. For
example, a person may not expect to receive marketing material on ergonomic
chairs simply because they appeared in a newspaper article saying they had a
chronic bad back. Also, individuals are not necessarily aware that information
available in hard copy can be easily scanned into electronic format and then
included in databases. Another example is that individuals may not necessarily
be aware that information about their share holdings is publicly
Few steps reasonable where use consistent with purpose of collection and publication in register
Where personal information is collected from a public register, it would be reasonable to take the minimum approach outlined in Question 10 where a collection and use is consistent with the specified or plainly evident purpose for which the personal information was collected and published in the public register.
Examples of this could include where an organisation:
- checks, and includes in a record, personal information in a land title register for the purpose of carrying out the purchase or sale of a property or verifying identity of the property and/or title-holder interests in the property for the purpose of assessing a finance application;
- collects information from a register of development and/or building applications to help with the valuation of a property or to assess whether a property nearby will affect its business.
More steps reasonable where an organisation has a relationship with an individual
If an organisation has a relationship with an individual it would generally be easier for the organisation to make an individual aware of NPP1.3 information, because it is likely to make contact with the individual at some point in relation to other matters. For example, if the individual is a customer or client, or an organisation is in discussions with an individual about whether it will become a customer or client, it would usually be a reasonable step for the organisation to make the individual aware, at some time when it is in contact with them, that it collects information about them indirectly from public sources. It could do this at the time it enters into a relationship, or discusses entering a relationship, with the individual or, if it is not possible or practicable, at a later point of contact, for example, when the organisation invoices the individual, or sends them a form.
Examples of where it could be reasonable for an organisation to make an individual aware of NPP 1.3 information when it is in contact with the individual in relation to other matters could be where it:
- collects and uses personal information from public sources to validate or update its databases of existing customers;
- collects and uses public information to do risk assessments of existing or potential clients or customers.
More steps reasonable where an organisation uses publicly available information to make contact with an individual
Where an organisation has collected information about an individual from a public source and uses the information to make contact with the individual, it would be a reasonable step to ensure an individual is aware of NPP 1.3 information at that time.
Examples would be where:
- a fundraiser collects telephone number and address information from a telephone directory, includes it on its database, and uses the information to call the individual. It would be reasonable for the fundraiser, particularly if asked, to make the individual aware at that time of NPP 1.3 information;
- a debt collector records public information and uses it to locate an individual, it would be reasonable for the debt collector to make the individual aware of NPP 1.3 information at first contact.
12. If individuals ask, does an organisation that has collected information from a public source have to tell them where it got personal information about them from?
Yes, in general terms.
NPP 5.2 requires an organisation, if asked, to take reasonable steps to let the person know, generally, how it collects personal information. Therefore, if an individual asks an organisation how it got information about him or her, for example, his or her contact details, then NPP 5.2 would require an organisation, in meeting its obligations, to tell the person, generally, how it collects contact information. This might include:
- the fact that it collects contact information from public sources; and
- the kinds of public sources from which it collects contact information.
13. What NPPs apply to an organisation if it is collecting personal information to publish in a generally available publication?
A media organisation collecting personal information in the course of journalism to publish in a generally available publication will be exempt from the NPPs because of the Privacy Act exemption that applies to journalist activities of media organisations. (See section 7B(4)) and Information Sheet 12 ? 2001 Coverage of and Exemptions from the Private Sector Provisions. The answer below is relevant if this exemption does not apply.
If an organisation is collecting personal information to publish in a generally available publication the NPPs that relate to collection apply (see section 16B(1)). NPP 1 and NPP 10 are the main collection principles. However, an organisation must also ensure that the information it collects is accurate, complete and up-to-date, in order to comply with the collection aspects of NPP 3.
If the organisation holds the information it intends to publish in a record, for example, a document or database, it must also comply with all the other NPPs in relation to that information.
Once the information is published, then the publishing organisation has no further NPP obligations in relation to the personal information in its published form (see section 16B(2)). However, NPP obligations will still apply to any of the personal information that it still holds in a record.
If an organisation is collecting information about an individual from someone other than the individual for the purpose of publishing it in a generally available publication, the organisation must take reasonable steps under NPP 1.5 to ensure that the individual is, or has been made, aware of NPP 1.3 matters.
In this case, it would generally be reasonable for the organisation to make a considerable effort to ensure that an individual is aware that information about them has been collected and other NPP 1.3 matters. This is because the personal information, once publicly available, may be able to be collected and used for a wide range of uses without the individual's consent or knowledge. Also, in these circumstances, the protections of the non collection NPPs will not apply.
14. What steps should an agency or organisation take if it proposes to collect and publish personal information?
Once personal information is in the public domain, individuals have very little control over who might collect it, or what uses can be made of it. The Privacy Act places few restrictions on collection and use of public information except where sensitive information is involved.
Some organisations, for example, Telstra, and some Commonwealth Government agencies (Commonwealth agencies) for example, the Australian Electoral Commission, are required by law to publish personal information.
It is therefore important that a Commonwealth agency or an organisation that proposes to collect personal information and then to make it public, takes seriously its obligations under the Privacy Act (IPP 2: agencies; NPP 1.3, 1.5: organisations) to make individuals aware of the purpose of collection and the fact that personal information about them will be made public.Tips for good privacy practiceIt would be good practice to make sure that the individual is aware of the formats in which the information will be made publicly available as this will affect the kinds of future collection that are possible, as well as the uses that can be made of the information. It would also be good practice, where possible, to give individuals some choice about the manner in which the information is to be made public and choice about uses to which the information can be put.
Where a Commonwealth agency or organisation is required by law to make information publicly accessible, the Commissioner strongly encourages them to take additional steps to balance the lack of choice with other privacy protections to safeguard the information from misuse or unauthorised access. These could include:
- having a clear statement of purpose for making the information public;
- placing limits on bulk releases;
- restricting search fields;
- considering whether de-identified information would meet the purposes of the register;
- having a process for suppressing personal information and other safety measures where a person's security might be at risk;
- considering whether paper or electronic format meets the purposes of the register best;
- using written undertakings to limit uses, with specifically relevant consequences for breach, or having legislative limitations on use of the information with penalties for breach;
- giving the individual the option to agree to specified wider secondary uses;
- limiting the venues where the information is available.
However, the extent to which any of these measures are adopted will depend on the nature and sensitivity of the information made publicly accessible and the potential consequences of the measures.
15. Does the Privacy Act apply to public information about deceased persons?
Information about deceased persons does not fall within the definition of personal information in the Privacy Act. So, the Privacy Act does not apply to any information, public or not, about deceased people. However, the Privacy Act could apply if the information also includes or divulges personal information about a living person.
About Information Sheets
Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)
Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.
Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner ISBN 1 - 877079 - 44 - 8 Privacy Hotline 1300 363 992 (local call charge)