Welcome back! This is where you left us. Not what you wanted?

Module 2 Handling personal information

20 minutes

Learning objectives

This module will cover how you can collect, use and disclose personal information, and how you can handle personal information in your day-to-day work in a way that complies with the APPs. It will also cover agency obligations around keeping personal information secure, and retaining and destroying personal information.

At the end of this topic you should be able to:

  • understand how to lawfully collect personal information
  • state how to lawfully use and disclose personal information
  • identify safe personal information handling practices.

Ready? Click the Play button to start the video.

Video transcript

If you handle personal information in your work, it is essential that you consider privacy — including how personal information should be collected, used and disclosed, and properly secured.

The Australian Privacy Principles set out requirements for the handling of personal information, to ensure that your agency:

  • is transparent about how personal information is used
  • meets community expectations around the collection, use and disclosure of personal information
  • stores personal information securely, and
  • provides a clear way for people to make enquiries and complaints about the way personal information has been handled.

It is also important to remember that even if you are legally permitted to handle personal information in a certain way, it doesn’t necessarily mean you should. Agencies rely on public trust — it enables them to carry out their functions. Trust is also essential to support innovative uses of personal information.

Using personal information in unexpected ways can damage trust and your agency’s reputation.

If you need more information, talk to your agency’s Privacy Officer or visit www.oaic.gov.au.

Direct YouTube link: https://youtu.be/oFDH6vkGxhQ. If YouTube is blocked, try this video.

Understanding why you are handling personal information

Whenever you collect someone’s personal information, it is very important that you understand why you are collecting it (the purpose of collection), as this relates directly to what your agency can do with it.

If you are clear about why you are collecting personal information, your agency will be able to better communicate with individuals about this purpose and the later uses or disclosures that are planned for this information.

APP 3 When can you collect personal information?

There are several questions you need to ask when collecting personal information. Click on each to find out more.

  1. What information do I need to collect?

    Make sure you understand what specific information you need to collect before you collect it.

  2. Why do I need this information? What is the purpose of the collection?

    Any information your agency collects needs to be reasonably necessary for, or directly related to, its functions and activities. If the information is not reasonably necessary for, or directly related to, your functions or activities, then you should not collect it.

  3. Is this collection lawful and fair?

    Agencies can only collect personal information by ‘lawful and fair means’. A ‘fair means’ of collecting information must not involve intimidation or deception and should not be unreasonably intrusive. You should also be aware of other laws that may affect your collection of information.

  4. What might be an unlawful purpose?

    Something that is prohibited by law is an unlawful purpose. For example, collecting information in order to commit a crime is clearly unlawful. Collecting information which breaches another law is also unlawful. For example, threatening damage to a person unless information is provided, collecting information using telephone interception or a listening device except under the authority of a warrant, or requesting or requiring information in connection with, or for the purpose of, an act of discrimination.

  5. Does the information need to be identifiable?

    Consider whether the information that you collect needs to identify a person. Individuals should have the option of remaining anonymous or using a pseudonym, unless this is not possible. You should also consider whether you could collect or use de-identified information.

  6. Who are we collecting the information from?

    Generally, personal information should only be collected directly from the individual concerned. This ensures that the person knows that information is being collected about them. This also allows the person to know – and to have some control – over what information is collected.

    There are some exceptions to this, including:

    • if the individual consents to you collecting their information from a third party
    • where the collection is authorised by law
    • where it is not reasonable or practical to collect the information directly from the individual.
  7. Is it accurate?

    If you have to collect personal information, you should take reasonable steps to confirm that the information that you collect is accurate, complete and up to date. In some circumstances — such as where you collect the information directly from the person themselves — it may be reasonable to take no steps.

Sensitive information

The requirements that apply to the collection of sensitive information are even higher. Unless an exception applies, you may only collect sensitive information where it is both reasonably necessary for, or directly related to, your agency’s functions or activities, and the individual concerned consents to your collection.

There are some exceptions. For example, you can collect sensitive information without consent if you are taking appropriate action in relation to suspected unlawful activity or serious misconduct, or the collection is required or authorised by law.

Should we collect this information?

An agency runs a public consultation on a new policy. The agency requires the people giving feedback to also provide their full name, date of birth, marital status and residential address. Should the agency ask for this information?

Hint: The identity of the person providing feedback is not likely to be relevant to their comments. It is not necessary for the agency to know who is making a comment in order to use it in their consultation process.


Date of birth, address and marital status are highly unlikely to be needed for the consultation process. The person providing feedback should have the option to remain anonymous if possible.


In this scenario, people should have the option of making anonymous comments. The date of birth, address and marital status of the person providing feedback are unlikely to be required for the consultation process.

APP 5 Notifying individuals about collections

Let’s look at the why, when and how of notifying individuals about collection.

It is important for individuals to know who has collected their personal information. You should generally notify individuals before you collect their personal information or at the time of collection. If that cannot be done, you should notify them as soon as possible after the collection.

How should notice be given?

Notice can be given in several ways, including:

  • verbally
  • in a short written statement
  • by providing a link to a statement
  • including a statement on the form the individual is filling out.

It is important that the person’s attention is drawn to this notice. If the notice is provided on a form to be completed by the person, they should be able to either take a copy with them or access the information elsewhere, for example, on your agency’s webpage.

You will need to notify individuals about a range of things, including:

  • the APP entity’s identity and contact details
  • the fact and circumstances of collection
  • whether the collection is required or authorised by law
  • the purposes of collection
  • the consequences if personal information is not collected
  • the entity’s usual disclosures of personal information of the kind collected by the entity
  • information about the entity’s APP Privacy Policy
  • whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

It is important to remember that notifying a person of what you intend to do with their information is not the same as seeking their consent to do those things.

Sometimes there is a good reason not to notify an individual about a collection. It is your agency’s responsibility to justify not taking any steps to notify in these circumstances. For example, if a doctor informs a patient that they will send the patient’s health information to the specialist they have been referred to, then it is reasonable for the specialist not to take any steps to notify as well. Similarly, where notification may jeopardise a law enforcement agency undertaking lawful surveillance of an individual in connection with a criminal investigation, or where notification would breach another legal obligation (such as a client’s legal professional privilege), then notification may not be required.

Your agency’s Privacy Officer can provide more specific advice on how your agency handles notifications. Module 3 has more information about Privacy Officers and their responsibilities.

APP 6 Using and disclosing personal information

Use and disclosure are two separate things.

Generally, an agency ‘uses’ personal information when it maintains control of the information when it handles or manages it. For example, searching records for personal information, or accessing and reading personal information.

An agency ‘discloses’ information when it makes it accessible or visible to others outside the agency, which means the agency no longer controls that information. Examples include accidentally providing personal information to an unintended recipient or displaying your computer screen so that another person can read the personal information.

So how should you be using and disclosing personal information?

Generally, you may use or disclose personal information for the primary purpose of its collection. This means you can use or disclose personal information for the same reason it was collected.

If you want to use or disclose the information for another purpose (a secondary purpose), you can only do so where the individual consents or where another exception applies.

So, what are some of the exceptions?

Here are some examples of where your agency may use or disclose personal information for a secondary purpose without consent:

  • where the individual would reasonably expect you to use or disclose their personal information for a secondary purpose that is related to (or directly related to, for sensitive information) the primary purpose (see the APP Guidelines for some examples)
  • where the use or disclosure is necessary for you to take appropriate action against suspected unlawful activity or serious misconduct relating to your agency’s functions or activities
  • where the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
  • where an overseas disclosure in accordance with APP 8 is permitted.

Remember: just because you are legally allowed to use personal information in a certain way, doesn’t mean that you necessarily should. It is important to remember that agencies rely on the trust of the public. Using personal information in unexpected ways can damage that trust.

If you need help working out whether you can (or should) use personal information for a secondary purpose, you should contact your Privacy Officer.

APP 11 Keeping personal information safe

Now let’s look at how to keep personal information safe.

Agencies must take reasonable steps to keep personal information secure. Your agency will likely have a range of different security safeguards in place.

For example:

  • you may need a security pass to use the lift or to get into your office space
  • there may be cameras or security guards in some agency locations
  • you may need a password to access your computer or certain systems
  • you may need a ‘swipe-to-print’ pass in order to print documents.

There are also things that you can do in your day-to-day work to keep personal information safe and reduce the risk of data breaches caused by human error. Click on each to find out more.

  • No tailgating

    Make sure people don’t tailgate you when you walk into a secure workspace.

  • Lock your computer

    Lock your computer when you walk away from your desk.

  • Pick up your printing

    Don’t leave your documents unattended at the printer.

  • Be careful with emails

    • Check the email address before you send it, especially if the autocomplete function is enabled.
    • You should also make sure you don’t mistakenly select ‘reply all’.
    • If sending to multiple people, use the ‘BCC’ function so you do not reveal recipients’ email addresses.
    • If possible, set up a display warning box which will appear on your screen requesting your confirmation before an email is sent outside your agency.
  • Be aware of common cyber threats such as phishing, malware and ransomware, and how to identify and mitigate these risks

    See Preventing data breaches: advice from the Australian Cyber Security Centre for more information on malicious or criminal attacks, and how to prevent these.

  • Check who’s listening

    Don’t have conversations involving personal information in public places or places where unauthorised people can overhear.

  • Protect storage devices

    You should only transport personal information where necessary. If you are using portable ICT equipment, it must be appropriately secured and protected. Make sure portable storage devices are encrypted and password protected so the information on them can’t be accessed if lost or stolen.

  • Keep your desk clean

    Don’t leave hard copy documents with personal information on your desk. Lock them in a drawer.

  • Dispose securely

    If you’ve finished with a hardcopy document, shred it or put it in a secure disposal bin. Speak to your agency’s record manager about securely disposing electronic records.

Scenario The unattended desk

Click on all the potential security risks at this unattended desk.

Papers on desk Correct! You should secure hard copy documents in a locked drawer.
Unlocked computer Correct! Always lock your computer when you leave your desk to prevent unauthorised people from accessing it.
Security pass Correct! Don’t leave your security pass unattended.
USB memory stick Correct! You should password-protect storage devices so they can’t be accessed if lost or stolen.
Papers in bin Correct! If you don’t need a document, shred it or put it in a secure disposal bin.

Destroying and de-identifying personal information

Let’s look at the obligations that apply when information is no longer needed.

Generally, personal information that is no longer needed should be destroyed or de-identified, unless it’s required for a record-keeping or legal purpose.

However, agencies have specific retention obligations for personal information that forms part of a Commonwealth record. Commonwealth records are regulated by the Archives Act 1983 (the Archives Act) which sets out how long Commonwealth records must be kept and when information may be disposed of.

If you have further questions about information retention or disposal in your agency, contact your Privacy Officer, Records Management Officer or the National Archives of Australia.


Knowledge check

You are now ready for the final Module 2 knowledge check. Answer the five questions.

Question 1

Agencies must notify individuals of certain matters when the agency collects their personal information. Let’s imagine that an agency is collecting names, addresses and contact information for the purposes of responding to complaints. Which of the below would be considered an appropriate way to notify someone about the collection of this personal information?

Question 2

Which of these behaviours may create an information security risk?

Question 3

For an agency to function effectively and perform its normal activities, it should only collect personal information that…

Question 4

When thinking about collecting personal information, which of the below should you consider?

Question 5

Which of the following is not an example of a human error that could cause a data breach?

Go to Module 3