Business-personal-information

Businesses must only collect personal information when reasonably necessary

John Bennett ||
Part 2 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches
Protect your business by only collecting personal information you need

The best way to protect your business from a data breach is to avoid collecting any personal information. Of course, this often goes against commercial goals. However, as suggested by the Office of the Information Commissioner (OAIC), businesses must consider whether it is necessary to collect and hold personal information to carry out their functions or activities.[1]

Two of the Australian Privacy Principles (APP) impose obligations on businesses at the personal information collection stage.

The first, APP 3, imposes obligations on the collection of solicited personal information. This applies to information that a business ‘requests’. Examples include credit account forms, employment applications responding to job ads, credit card payment records and CCTV footage.

The other, APP 4, applies to unsolicited personal information. This is information received but not sought by the business. Examples include misdirected emails, employment applications received when there is no job ad, and petitions containing names and addresses.

Collection of solicited personal information

APP 3 requires that the business only collect personal information if it is reasonably necessary for one or more of the entity’s functions or activities. Collection must be lawful and fair. It also requires collection from the individual concerned except where unreasonable or impracticable. Additional consents and requirements apply for collection of sensitive information.

Accordingly, the threshold issue with collecting personal information is whether your business really needs it – is it reasonably necessary for any of your functions or activities? If personal information is collected unnecessarily, it exposes the business to risk. Notably, a previous Government expressly warned against collecting personal information ‘on the off-chance that it may become necessary for a future function or activity, or that it may be merely helpful.’[2]

When is it ‘reasonably necessary’ to collect personal information?

The intent with the ‘reasonably necessary’ requirement is that businesses are objective and practical when asking for personal information.[3] The OAIC has cautioned that it is the business’ responsibility ‘to justify that the particular collection is reasonably necessary.’[4] Ultimately, it comes down to whether the business really needs the personal information to carry out its function or activity.[5]

The OAIC has provided examples of where it has previously ruled that collection was not ‘reasonably necessary’:

  • A job applicant being asked to advise if they had suffered a work-related injury or illness, when this was irrelevant for the advertised position.
  • A person applying to open a bank account being asked to complete a form that included a question about marital status, when this had no bearing on their eligibility.
  • A medical practitioner photographing a patient for the patient’s medical file, when this wasn’t necessary to provide a health service.

There have also been court decisions on the ‘reasonably necessary’ point. In Lee v Superior Wood, an employer collected sensitive information through biometric scanners for the purposes of consolidating its payroll system. The Fair Work Commission held that this wasn’t ‘reasonably necessary’ but rather ‘administratively convenient’. The circumstances also disclosed that other options had been identified but not considered.

In Jurecek, an employee complained that her employer unfairly, intrusively and secretly obtained and used personal information from her Facebook in an investigative process. The employee argued that this information wasn’t necessary for the performance of the employer’s functions and activities. The Court held that the collection was necessary as it was legitimate for the employer to conduct a misconduct investigation.

Unsolicited personal information

APP 4 aims to ensure that personal information received by an entity is afforded privacy protections, even when the entity has done nothing to solicit the information.[6] APP 4 requires that the business, within a reasonable period after receiving unsolicited personal information, determines whether or not it could have lawfully collected the information under APP 3 (i.e. through soliciting the information). If the business determines that it couldn’t have collected the personal information and the information isn’t contained in a Commonwealth record, the business must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that it is de-identified.

In a data security context, APP 4 essentially means the business must quickly decide whether to get rid of the information or not. Notably, the business must justify any delay in destroying or de-identifying unsolicited personal information when it does not need to keep the information.[7]

Read Part 1 and Read Part 3

For more information, please contact Coleman Greig’s Privacy and Data Protection lawyers.

 

[1] OAIC, Guide to securing personal information ‘Reasonable steps’ to protect personal information (June 2018) 7-11.

[2] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 75.

[3] Ibid 53-54.

[4] Office of the Australian Information Commissioner, Australian Privacy Principles guidelines ‘Chapter 3: Australian Privacy Principle 3 – Collection of solicited personal information’ (July 2019).

[5] Ibid.

[6] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 77.

[7] Office of the Australian Information Commissioner, Australian Privacy Principles guidelines ‘Chapter 4: Australian Privacy Principle 4 – Dealing with unsolicited personal information’ (July 2019)

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

Essential terms of a commercial lease

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

The risks with cyber attacks and data breaches

Part 1 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches. Cyber attacks and data breaches are the top business risk in Australia according to Aon’s 2023 Global Risk Management Survey.

Help! My builder won’t finish the job – what do I do?

It’s normal for building projects to experience setbacks during construction.  However, in extreme cases your builder may suspend works and leave the site or disappear without explanation. This article will explain your available options if your builder won’t return to the site, and how to avoid the common pitfalls which may affect your rights against your builder.

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230