Have you ever found yourself the recipient of personal
information without asking for it? For example:
emails accidentally copied to you;
employment applications sent to you that are not in response to
an advertised vacancy; and
receiving more information from clients than you asked for
(e.g. detailed financials).
If you have, it might be classified as unsolicited personal
information under the Australian Privacy Principles (APPs). The
APPs require certain steps to be taken when handling unsolicited
personal information, including:
determining whether the information could have otherwise been
destroying or de-identifying the information in certain
appropriately dealing with information.
Determine whether the unsolicited information could have
been otherwise collected
The first step in dealing with unsolicited personal information
is to determine whether you could have otherwise collected the
Under the APPs, you can generally only collect personal
information if it is reasonably necessary for, or directly related
to, one or more of your functions or activities. Further, if the
information is sensitive information, you generally can only
collect it if the individual concerned consents to the
Dealing with unsolicited information personal information
that could not have been collected
If you could not have otherwise collected the information, you
have an obligation to destroy or de identify the information as
soon as practicable, unless it is unlawful or unreasonable to do
It is lawful if the destruction or de-identification is not
criminal, illegal or prohibited or proscribed by law. For example,
it would be unlawful to destroy information where a legislative
provision requires you to retain it for a specified purpose (i.e.
auditing, inspection or reporting purposes).
Reasonableness is determined in the circumstances. Relevant
considerations may include the amount and sensitivity of the
information, whether it's impractical to separate any comingled
unsolicited from solicited information or whether an individual has
expressly requested that you return the information to them.
Dealing with unsolicited personal information that could not
have been collected and is not destroyed or de-identified
If you are not obliged to destroy or de-identify the unsolicited
personal information, you may be able to retain the information,
however you must do so in accordance with the APPs.
This means, for example, that:
a notice of collection under APP 5 may be required;
the security of the personal information must be protected;
individuals must be able to request access to the personal
information and request that you correct the personal
Why does it matter?
Failure to comply with the APPs may lead to penalties of up to
$1.7 million (for corporations) and up to $340,000 (for
individuals) if they seriously or repeatedly interfere with a
If you find yourself in a position where you have received
personal information without taking steps to collect it, we
recommend you run through the above to determine how to deal with
it. These tips are not exhaustive considerations and you should see
APP 4 and the APP guidelines for more information.
The APPs also require you to act within a reasonable period
after receiving the information, which will depend on the
circumstances. In any event, you should make a decision
Privacy awareness week
This article was part of our series on handling personal
information as part of Privacy Awareness Week. As a partner of the
Office of the Australian Information Commissioner's privacy
awareness campaign, this week Cooper Grace Ward will publish a
series of articles relating to:
Winner – EOWA Employer of Choice for Women Citation 2009,
2010, 2011 and 2012
Winner – ALB Gold Employer of Choice 2011 and 2012
Finalist – ALB Australasian Law Awards 2008, 2010, 2011 and
2012 (Best Brisbane Firm)
Winner – BRW Client Choice Awards 2009 and 2010 - Best
Australian Law Firm (revenue less than $50m)
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).