The Australian Privacy Principles (APPs)[1] are the cornerstone of the privacy protection framework in the Privacy Act. There are 13 APPs, and they govern the standards, rights and obligations around an APP Entity’s collection, use, handling, storage, access, and disclosure of Personal Information. A breach of an APP is considered under the Privacy Act as an interference with the privacy of an individual and can lead to regulatory action and penalties.
Out of all the Australian Privacy Principles APP5 – Notification of the Collection of Personal Information is most often missed by organisations and often confused with obligations under APP1 to have a privacy policy. Let's unpack the essentials of APP5 compliance.
Enhancing Transparency in Personal Information Collection: A Deep Dive into APP5
Under APP5 an organisation required to comply with the Privacy Act, who collects personal information about an individual, must take ‘reasonable steps’ to notify the individual (or otherwise ensure the individual is aware) of the following matters:
The organisation’s identity (including full name and ABN/ACN) and contact details
Statement about the organisation’s intention to collect information about the individual (including disclosing when information has been collected from a third party)
Whether the collection of the personal information is authorised or required by a law
The purpose of the collection
Any consequences for an individual if all (or some) of their personal information is not collected (for example, unable to deliver goods an individual has purchased if they do not provide their postal address)
The organisation’s usual disclosure of personal information it collects
A statement that the organisation’s privacy policy contains information on: how an individual can access or correct their personal information, how an individual can make a complaint about the handling of their personal information and whether the personal information is likely to be disclosed to an overseas recipient (and if so, what country).[2]
The items above are collectively referred to as the “Collection Notice Matters”.
Requirement of APP5
An organisation must ensure an individual is made aware of the Collection Notice Matters at or before the time the individual shares their personal information with the organisation. If that’s not possible, then the organisation must notify the individual as soon as reasonably practical after they have shared their personal information with the organisation.
However, compliance with APP5 is not limited to circumstances where an individual has shared their personal information with an organisation.
An organisation must notify an individual about the Collection Notice Matters any time the organisation collects personal information about an individual. This includes circumstances where the organisation has received personal information about an individual from a third party (for example from a referring organisation) or where the organisation has purchased an marketing list.
It is also important to note what is considered reasonable steps for making individual aware of the Collection Notice Matters depends on the what would be considered ‘reasonable’ in the circumstances with regard to how the personal information was collected.
For example, if the organisation is collecting resumes (which obviously contain personal information) via a recruitment platform (such as Seek.com) the organisation should check if the recruitment platform has a process in place that makes the individual aware of the Collection Notice Matters, including passing the individuals resume on to the organisation. If so, it may not be reasonable to require the organisation to undertake further steps to notify the individual again that the organisation has received their resume. However, each situation should be carefully assessed on a case-by-case basis and it is therefore recommended that an organisation undertake a proper due diligence into compliance with APP5 when receiving personal information from a third party.
Complying with APP5
There are various ways an organisation can comply with APP5, but here are some common examples of compliance:
Including a statement under places where personal information is collected on an organisation’s website (for example the contact form) to notify an individual that their personal information will be collected and handled in accordance with the organisation’s Privacy Collection Notice. There is usually a link to the Privacy Collection Notice (which opens a secondary web page when clicked).
Having a Privacy Collection Notice physically displayed at an organisation’s reception.
Providing a verbal notice of the Collection Notice Matters when an individual shares their personal information with an organisation over the phone.
Writing an email to an individual advising them of the Collection Notice Matters when the organisation has received the individual’s personal information from a third party.
If your organisation is collecting personal information from multiple sources (not just from individuals directly) you may wish to consider seeking legal advice for assistance with customising a privacy collection notice.
This help article does not purport to be legal advice and it recommended that organisations seek independent legal advice to better understand their legal obligations under Privacy Act.
[1] Located at Schedule 1 of the Privacy Act.
[2] These matters are listed under APP5.2.