Part 2 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches
Protect your business by only collecting personal information you need
The best way to protect your business from a data breach is to avoid collecting any personal information. Of course, this often goes against commercial goals. However, as suggested by the Office of the Information Commissioner (OAIC), businesses must consider whether it is necessary to collect and hold personal information to carry out their functions or activities.[1]
Two of the Australian Privacy Principles (APP) impose obligations on businesses at the personal information collection stage.
The first, APP 3, imposes obligations on the collection of solicited personal information. This applies to information that a business ‘requests’. Examples include credit account forms, employment applications responding to job ads, credit card payment records and CCTV footage.
The other, APP 4, applies to unsolicited personal information. This is information received but not sought by the business. Examples include misdirected emails, employment applications received when there is no job ad, and petitions containing names and addresses.
Collection of solicited personal information
APP 3 requires that the business only collect personal information if it is reasonably necessary for one or more of the entity’s functions or activities. Collection must be lawful and fair. It also requires collection from the individual concerned except where unreasonable or impracticable. Additional consents and requirements apply for collection of sensitive information.
Accordingly, the threshold issue with collecting personal information is whether your business really needs it – is it reasonably necessary for any of your functions or activities? If personal information is collected unnecessarily, it exposes the business to risk. Notably, a previous Government expressly warned against collecting personal information ‘on the off-chance that it may become necessary for a future function or activity, or that it may be merely helpful.’[2]
When is it ‘reasonably necessary’ to collect personal information?
The intent with the ‘reasonably necessary’ requirement is that businesses are objective and practical when asking for personal information.[3] The OAIC has cautioned that it is the business’ responsibility ‘to justify that the particular collection is reasonably necessary.’[4] Ultimately, it comes down to whether the business really needs the personal information to carry out its function or activity.[5]
The OAIC has provided examples of where it has previously ruled that collection was not ‘reasonably necessary’:
- A job applicant being asked to advise if they had suffered a work-related injury or illness, when this was irrelevant for the advertised position.
- A person applying to open a bank account being asked to complete a form that included a question about marital status, when this had no bearing on their eligibility.
- A medical practitioner photographing a patient for the patient’s medical file, when this wasn’t necessary to provide a health service.
There have also been court decisions on the ‘reasonably necessary’ point. In Lee v Superior Wood, an employer collected sensitive information through biometric scanners for the purposes of consolidating its payroll system. The Fair Work Commission held that this wasn’t ‘reasonably necessary’ but rather ‘administratively convenient’. The circumstances also disclosed that other options had been identified but not considered.
In Jurecek, an employee complained that her employer unfairly, intrusively and secretly obtained and used personal information from her Facebook in an investigative process. The employee argued that this information wasn’t necessary for the performance of the employer’s functions and activities. The Court held that the collection was necessary as it was legitimate for the employer to conduct a misconduct investigation.
Unsolicited personal information
APP 4 aims to ensure that personal information received by an entity is afforded privacy protections, even when the entity has done nothing to solicit the information.[6] APP 4 requires that the business, within a reasonable period after receiving unsolicited personal information, determines whether or not it could have lawfully collected the information under APP 3 (i.e. through soliciting the information). If the business determines that it couldn’t have collected the personal information and the information isn’t contained in a Commonwealth record, the business must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that it is de-identified.
In a data security context, APP 4 essentially means the business must quickly decide whether to get rid of the information or not. Notably, the business must justify any delay in destroying or de-identifying unsolicited personal information when it does not need to keep the information.[7]
For more information, please contact Coleman Greig’s Privacy and Data Protection lawyers.
[1] OAIC, Guide to securing personal information ‘Reasonable steps’ to protect personal information (June 2018) 7-11.
[2] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 75.
[3] Ibid 53-54.
[4] Office of the Australian Information Commissioner, Australian Privacy Principles guidelines ‘Chapter 3: Australian Privacy Principle 3 – Collection of solicited personal information’ (July 2019).
[5] Ibid.
[6] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 77.
[7] Office of the Australian Information Commissioner, Australian Privacy Principles guidelines ‘Chapter 4: Australian Privacy Principle 4 – Dealing with unsolicited personal information’ (July 2019)