This is an HTML version of an attachment to the Freedom of Information request 'Privacy training in the Defence Department'.

Australian Privacy Principle 4: Dealing 
with unsolicited personal information 

As discussed on the 
APP 3 knowledge page, there are two APPs that concern the collection of personal 
information: APP 3 and APP 4. APP 3 specifically deals with the collection of solicited information; 
whereas APP 4 is limited to the collection of unsolicited information. 
This page deals only with the collection of unsolicited personal information, however, when collecting 
unsolicited personal information, APP 3 will also apply. 
The Office of the Australian Information Commissioner advises: 
'Unsolicited personal information is information received by an APP entity where the entity has taken no 
active step to collect the information.' 
Defence may receive unsolicited personal information from Defence personnel or external parties, including: 

when a Defence member or Defence APS employee makes a complaint (e.g. Redress of Grievance 
or Review of Actions);  

when members of the public make contact with Defence;  

when Defence has solicited some personal information from a person, but more personal 
information than was requested has been provided. 
If an APP entity receives personal information and it did not solicit that information, the entity must, within 
a reasonable period of time determine whether or not it could have collected the information under APP 3-
Collection of solicited personal information (see 
APP 3 knowledge page). 
If the unsolicited personal information is not contained in a Commonwealth record, and the personal 
information could not be collected under APP 3, the personal information must, as soon as practicable after 
the information was received, be destroyed or de-identified if it is lawful to do so
The Office of the Australian Information Commissioner advises: 
'A 'Commonwealth record' is likely to include, in almost all cases, all personal information collected or 
received by agencies. Where an organisation is a contracted service provider under a Commonwealth 
contract, the records created, managed or held by that organisation under the contract may also be 
Commonwealth records.' 
As such, in most cases unsolicited personal information received by Defence is likely to be classed as a 
Commonwealth record. Therefore, such information should not be destroyed or de-indentified and must be 
kept in accordance with the 
Defence Records Management Policy Manual (POLMAN 3). 
Handling unsolicited personal information 
Unsolicited personal information that cannot be destroyed or de-identified (e.g. the personal information is 
part of a Commonwealth record), must be handled in accordance with APPs 5 to 13. This would include 
taking reasonable steps to notify the individual that their information has been collected and the purposes for 
the collection. 

Document Outline