Your consent is generally needed for the collection of your sensitive information or to use or disclose your personal information for a purpose other than the purpose it was collected for.
You give express consent if you give it openly and obviously, either verbally or in writing. For example, when you sign your name (by hand, or by an electronic or voice signature). An organisation or agency must get your express consent before handling your sensitive information.
An organisation or agency doesn’t need your express consent to handle your non-sensitive personal information; but they need to reasonably believe that they have your implied consent.
It’s not sufficient for an organisation or agency simply to tell you of their collection, use or disclosure of your personal information. Unless they presented you with an opt-out option they cannot assume your implied consent.
Example: opt-out option
An organisation or agency writes to you to say they’ll be disclosing your customer information for another purpose unless you opt-out within 30 days. If you don’t contact them within 30 days, then they can assume they have your implied consent to use or disclose your customer information for the purpose they wrote to you about.
However, the situation isn’t always clear cut. Since consent must be informed, an organisation or agency needs to make sure:
- they presented the opt-out option clearly and prominently and can be reasonably sure you saw it
- you were given the information about what happens if you don’t opt out
- the opt-out option was freely available and not bundled with other purposes
- it was easy for you to opt out (it took you little effort and was free or cost little)
- if you fail to opt out the results aren’t serious
- if you opt out at a later date, as far as practical, you’ll be in the same position as if you had opted out earlier.
A bundled consent is a single request for consent from an organisation or agency that contains several requests to collect, use and disclose your personal information, and does not let you choose which ones you consent to and which you don’t.
For example, if a medical practice issues a bundled request for consent to use your personal information for medical research purposes and direct marketing, and to disclose it to a third-party marketing company. In this case, you would not be able to agree to the use of your personal information for medical research without agreeing to receiving marketing materials.
Avoid giving bundled consent unless the request:
- gives you the choice not to consent to one or more proposed collections, uses and/or disclosures of your personal information
- gives you enough information about each proposed collection, use and/or disclosure
- tells you the consequences, if any, of not consenting to one or more of the proposed collections, uses and/or disclosures of your personal information.
Can you withdraw your consent?
You can withdraw your consent at any time. The organisation or agency concerned must make sure the process is easy and accessible, and that you understand the possible consequences of withdrawing your consent. For example, you may no longer have access to a service.
Once you withdraw consent, an organisation or agency can’t rely on your past consent for any future use or disclosure of your personal information.
More about what consent involves
Consent must be informed
Your consent is only valid if you’re aware of the consequences of giving or not giving your consent at the time you make the decision. An organisation or agency should:
- clearly explain how they want to handle your personal information
- communicate their request in plain English, without legal or industry jargon.
Consent must be voluntary
You give voluntary consent if you’re not forced or pressured to give your consent. Some factors that decide if consent is voluntary are:
- the options available to you if you choose not to consent
- the seriousness of any consequences to you, your family or associates if you refuse to consent.
Consent must be current and specific
When you give consent at a particular time and for specific circumstances, an organisation or agency can’t assume your consent continues indefinitely.
When asking for your consent, an organisation or agency must explain the reason for their request and be as specific as possible. They shouldn’t ask for a broader consent than is necessary. For example, you shouldn’t be asked to consent to undefined future uses or vague statements such as ‘all legitimate uses or disclosures’.
You must have the capacity to give consent. This means you:
- understand you’re being asked to decide to give or not give your consent
- understand the consequences of giving or not giving your consent
- based your decision on reason
- can communicate your decision.
- you’re a minor (see Children and Young People)
- you have a physical or mental disability
- you’re temporarily incapacitated (for example, you’re having a psychotic episode, you’re suffering from a temporary psychiatric illness, you’re unconscious, you’re in severe distress or you’re suffering from dementia)
- you have limited understanding of English.
What if an individual lacks capacity?
If an organisation or agency is unsure if an individual has the capacity to give consent at a particular time, then they shouldn’t rely on any consent decision the individual makes at that particular time. Instead, they should think about offering support, such as an interpreter. If such support is insufficient, then an organisation or agency may consider if someone can act on the individual’s behalf, such as:
- a guardian
- someone with enduring power of attorney
- a person recognised by other relevant laws — for instance, in NSW, a ‘responsible person’ under the Guardianship Act 1987 (NSW) may be a spouse, partner, carer, family member or close friend
- a person the individual nominated in writing when they were capable of giving consent.
As far as practical, an organisation or agency should involve the individual who lacks capacity in the consent decision.
For more information about consent, see the Australian Privacy Principles Guidelines, Chapter B