APP 5 Notifying individuals about collections
Let’s look at the why, when and how of notifying individuals about collection.
It is important for individuals to know who has collected their personal information. You should generally notify individuals before you collect their personal information or at the time of collection. If that cannot be done, you should notify them as soon as possible after the collection.
How should notice be given?
Notice can be given in several ways, including:
- in a short written statement
- by providing a link to a statement
- including a statement on the form the individual is filling out.
It is important that the person’s attention is drawn to this notice. If the notice is provided on a form to be completed by the person, they should be able to either take a copy with them or access the information elsewhere, for example, on your agency’s webpage.
You will need to notify individuals about a range of things, including:
- the APP entity’s identity and contact details
- the fact and circumstances of collection
- whether the collection is required or authorised by law
- the purposes of collection
- the consequences if personal information is not collected
- the entity’s usual disclosures of personal information of the kind collected by the entity
- whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.
It is important to remember that notifying a person of what you intend to do with their information is not the same as seeking their consent to do those things.
Sometimes there is a good reason not to notify an individual about a collection. It is your agency’s responsibility to justify not taking any steps to notify in these circumstances. For example, if a doctor informs a patient that they will send the patient’s health information to the specialist they have been referred to, then it is reasonable for the specialist not to take any steps to notify as well. Similarly, where notification may jeopardise a law enforcement agency undertaking lawful surveillance of an individual in connection with a criminal investigation, or where notification would breach another legal obligation (such as a client’s legal professional privilege), then notification may not be required.
Your agency’s Privacy Officer can provide more specific advice on how your agency handles notifications. Module 3 has more information about Privacy Officers and their responsibilities.