Organisations and agencies sometimes need personal information about you to carry out their work. Australian privacy law sets out what personal information they can collect and what they need to tell you.

An organisation may only collect your personal information that is reasonably necessary for their work. An agency may only collect your personal information that is directly related to their work. They don’t need your consent unless the information is sensitive.

Sensitive information

An organisation or agency must usually ask for your consent to collect sensitive information. There are situations where they don’t need to, for example, where an individual, in need of urgent medical treatment, is unable to consent to the collection of their health information because they’re unconscious.

How can an organisation or agency collect personal information?

An organisation or agency must only collect personal information in a lawful and fair way. If practical, they must collect the information from you personally and not from third parties. But there are situations where organisations and agencies are allowed to collect information about you from third parties. For example:

  • where you would reasonably expect it or where you’ve consented to your personal information being shared
  • a law enforcement agency may collect personal information about an individual who is under investigation without asking the individual directly because to do so may jeopardise the investigation
  • if a legal or official document mailed to an individual is returned to the sender, then the sender may need to get the individual’s current contact details from another source.

For more information, see the Australian Privacy Principles (APP) Guidelines, Chapter 3.

Sometimes an organisation or agency may receive your personal information when they haven’t asked for it. For example, they may receive misdirected mail. How the organisation or agency handles such a situation is explained in the APP Guidelines, Chapter 4.

What you must be told when your personal information is collected

When an organisation or agency collects your personal information they must take reasonable steps to tell you the following information, as close as possible to the time they collected your personal information:

  • the organisation or agency’s identity and contact details
  • the fact and way in which the organisation or agency collected your personal information
  • if collecting your personal information is required or authorised by law
  • the reasons the organisation or agency collected your personal information
  • the consequences if the organisation or agency doesn’t collect your personal information
  • the organisation or agency’s usual disclosures of the kind of personal information being collected
  • information about the organisation or agency’s privacy policy
  • if the organisation or agency is likely to disclose personal information to overseas recipients, and if practical, the countries where they are located

For more information, see the APP Guidelines, Chapter 5.