Australian Privacy Principle 4: Dealing
with unsolicited personal information
As discussed on
the
APP 3 knowledge page, there are two APPs that concern the collection of personal
information: A
PP 3 and APP 4. APP 3 specifically deals with the collection of solicited information;
whereas APP 4 is limited to the collection of unsolicited information.
This page deals only with the collection of unsolicited personal information, however, when collecting
unsolicited personal information, APP 3 will also apply.
The Office of the Australian Information Commissioner advises:
'Unsolicited personal information is information received by an APP entity where the entity has taken no
active step to collect the information.'
Defence may receive unsolicited personal information from Defence personnel or external parties, including:
o
when a Defence member or Defence APS employee makes a complaint (e.g. Redress of Grievance
or Review of Actions);
o
when members of the public make contact with Defence;
o
when Defence has solicited some personal information from a person, but more personal
information than was requested has been provided.
If an APP entity receives personal information and it did not solicit that information, the entity must, within
a reasonable period of time determine whether or not it could have collected the information under APP 3-
Collection of solicited personal inform
ation (see
APP 3 knowledge page).
If the unsolicited personal information is not contained in a Commonwealth record, and the personal
information could not be collected under APP 3, the personal information must, as soon as practicable after
the information was received, be destroyed or de-identified
if it is lawful to do so.
The Office of the Australian Information Commissioner advises:
'A 'Commonwealth record' is likely to include, in almost all cases, all personal information collected or
received by agencies. Where an organisation is a contracted service provider under a Commonwealth
contract, the records created, managed or held by that organisation under the contract may also be
Commonwealth records.'
As such, in most cases unsolicited personal information received by Defence is likely to be classed as a
Commonwealth record. Therefore, such information should not be destroyed or de-indentified and must be
kept in accorda
nce with the
Defence Records Management Policy Manual (POLMAN 3).
Handling unsolicited personal information
Unsolicited personal information that cannot be destroyed or de-identified (e.g. the personal information is
part of a Commonwealth record), must be handled in accordance with APPs 5 to 13. This would include
taking reasonable steps to notify the individual that their information has been collected and the purposes for
the collection.
Document Outline