Steven Klimt
Partner •
Sydney
New APP guidance means you should consider checking your information collection practices now
3 minutes
Organisations should consider reviewing their information collection practices, following an update to the Australian Privacy Principles (APP) Guidelines issued by the OAIC.
The update revises the Guidelines on APP 3, the principle covering collection of personal information, expanding the guidance on the approach organisations should adopt in their processes for collection of personal information, particularly in light of current technology and information collection practices. Organisations would be well advised to review their information collection practices in light of this revised guidance.
Whether and how you collect personal information
The revised APP Guideline expressly states the finding made in the proceedings taken by the Privacy Commissioner against Bunnings that where an organisation holds personal information momentarily, even for milliseconds, this will constitute a collection of the information. It specifies other examples of collection. These include collection of personal information:
through facial recognition technology;
by a router or hub for a service or system,
of personal information gathered from the internet by automated collection methods such as data scraping,
web crawling and third-party tracking pixels;
provided to an AI chatbot or agent on an organisation's website; and
provided at a business meeting, including AI generated recordings and transcripts.
When you can collect personal information
Under APPs 3.1 and 3.2, organisations can only collect personal information which is reasonably necessary for the organisation's functions or activities. The guidance on this is revised.
Functions and activities
It states that an organisation's functions and activities are those currently and proposed to be undertaken and the activities carried out in support of them.
However in order for proposed functions and activities to be covered, there should be a decision that they be carried out and for which there are established plans.
The functions and activities of an organisation are to be determined objectively. While the guidance refers to the activities and functions the organisation focuses on, it emphasises the importance of public material, such as how they are described on the organisation's website.
Reasonably necessary
The revised Guidelines provide that organisations must be able to justify that a particular collection is reasonably necessary and they should be using a "data minimisation" approach to determining whether this is the case. Echoing reasoning similar to that set out in the Bunnings case, the revised guidance sets out the factors relevant to the determination of "reasonably necessary", which include:
the primary purpose of collection;
how the personal information will be used in undertaking a function or activity of the organisation;
whether the entity could have undertaken the function or activity without collecting the personal information or by collecting less personal information; and
the proportionality of the collection. This involves balancing the privacy impacts of the collection with the benefits gained.
When collection of personal information is fair
The revised Guidelines amplify how the obligation in APP 3.5 only to collect personal information by "lawful and fair means" should be interpreted. They state that the concept of fairness is not fixed and should be adapted to changing circumstances in accordance with community values.
While all surrounding circumstances need to be considered, they set out examples of factors to be considered in determining whether a collection is fair:
whether the individual is aware of their personal information being collected, with an emphasis on transparency;
whether the individual would reasonably expect their personal information to be collected and used in this manner/for this purpose. In particular, the guidance states that just because personal information is publicly available information on the internet, does not allow it to be collected and used in whatever way the organisation chooses. The organisation must have regard to the knowledge and reasonable expectations of the individual concerned;
whether the individual's choice is being distorted, manipulated or undermined, for example through poorly designed or misused "online choice architecture";
what the risk of harm would be to individuals as a result of the collection; and
whether the individual is in, or is perceived to be in, a vulnerable or at-risk situation.
Key takeaways
While this guidance reflects the approaches the current Privacy Commissioner has taken in investigations and proceedings, it brings these matters together in the one document. It reflects her position that the Privacy Act is "principles-based" regulation, so its application can change as commercial practices and community standards change. It has a potentially far-ranging impact as many organisations may not have undertaken the rigorous analysis of their information collection practices the guidance requires.
The Privacy Commissioner is likely to use the approach set out in the revised Guidelines to dictate investigation and enforcement strategies, which may result in these matters being further tested in Courts and Tribunals. This may lead to some of the matters set out in the Guidance, being moderated. For example, the revised matters in the Guidelines are based at least partially on the Privacy Commissioner's ruling in the IRE Investigation, which is currently subject to appeal.
Unless and until the principles set out in the revised Guidelines are rejected by a Court or Tribunal, organisations, as well as assessing any new or changed information collection practices against the revised Guidelines, should consider doing this in respect of existing information collection practices. Particular danger points are:
new technology that has been or is proposed to be rolled out;
whether the collection is reasonably necessary; and
the fairness of the collection.
Get in touch
Brenton Steenkamp
Partner •
Sydney
Craig Hine
Partner •
Sydney
John Dieckmann
Partner •
Melbourne
Sharon Segal
Special Counsel •
Melbourne
Eleanor Dickens
Partner •
Brisbane
Simon Newcomb
Head of AI •
Brisbane
Amanda Story
Public Sector Head •
Canberra
Cain Sibley
Public Sector Head •
Canberra
David Benson
Darwin and Perth Office Partner In Charge •
Perth
Sam Fiddian
Partner •
Perth
Monique Azzopardi
Special Counsel •
Sydney
Jason Shailer
Special Counsel •
Canberra
Lyndal Sivell
Special Counsel •
Sydney
Christina Graves
Special Counsel •
Canberra
Consumer & Retail
Data in Digital Economy
Digital Economy
Financial Services
Financial Services Regulatory
Healthcare & Pharmaceuticals
Privacy in Digital Economy
Sports & Media
Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.