Victorian public sector organisations subject to Part 3 of the Privacy and Data Protection Act 2014 (PDP Act) are required to adhere to the Information Privacy Principles (IPPs). The IPPs set out the minimum standards for the handling of personal information in the Victorian public sector.
IPP 1 sets out requirements to consider when collecting personal information. This includes taking reasonable steps to provide a notice of collection as per IPP 1.3. This is commonly referred to as a collection notice.
WHAT IS A COLLECTION NOTICE?
A collection notice is a statement that is provided to an individual at or before the time an organisation collects personal information from them (or if that is not practical, as soon as possible after the information is collected). A collection notice explains to individuals the purpose for which the information is collected, and how the organisation will use and handle the information.
In addition to meeting the requirements of IPP 1.3, giving notice is important because it promotes transparency about an organisation’s collection and handling of personal information, and ensures individuals are aware of their rights and obligations in relation to giving up (and later accessing) their information.
PRIVACY POLICIES AND COLLECTION NOTICES
Although they both inform individuals about how an organisation will manage their personal information, privacy policies and collection notices are different.
WHAT SHOULD A COLLECTION NOTICE CONTAIN?
IPP 1.3 states that at or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of –
- the identity of the organisation and how to contact it; and
- the fact that the individual is able to gain access to the information; and
- the purposes for which the information is collected; and
- to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and
- any law that requires the particular information to be collected; and
- the main consequences (if any) for the individual if all or part of the information is not provided.
THE PURPOSES OF COLLECTION
The purposes of collecting the information should be clearly stated, and be specific, rather than be explained in a general reference to a broad power such as ‘licensing’, or ‘for the performance of our functions’. In some situations, there may be several purposes of collection. Organisations should aim to list all the known purposes for which they are collecting that personal information from individuals, to ensure that they are able to use the information as intended.
Individuals are more likely to accept secondary uses or disclosures of their personal information when organisations are upfront about how they will use the information they are collecting.
TO WHOM THE ORGANISATION USUALLY DISCLOSES INFORMATION OF THAT KIND
Organisations are required to ensure that individuals are made aware of where their information is likely to flow. A collection notice can explicitly list the individuals/organisations to whom information is disclosed, for example ‘State Revenue Office’. Alternatively, organisations can be referred to by type, such as ‘state and federal taxation authorities.’ Where the information is usually shared for specific purposes, the notice should also refer to these. If personal information is collected with the intention of publication or dissemination (such as online or in a publicly available document), this should be made explicitly clear at the time of collection.
ANY LAW THAT REQUIRES THE PARTICULAR INFORMATION TO BE COLLECTED
Where an organisation has the power to compulsorily obtain information, such as under their enabling legislation, this should be made clear. The collection notice should state which law is being relied upon as the basis for collection, as this makes the organisation’s authority clear and allows an individual to verify the legal basis for collection.
CONSEQUENCES IF INFORMATION IS NOT PROVIDED
Organisations are required to provide notice about the consequences for individuals if they choose not to provide all or part of the personal information requested. For instance, an organisation may not be able to provide a full range of services if certain information is not provided.
Where an individual has the option to not give certain details (such as an email address, phone number or even name), this should be made clear. There may be instances where an individual does not wish to participate or take advantage of all of the organisation’s activities, and so may prefer to withhold certain information.
WHEN SHOULD A COLLECTION NOTICE BE PROVIDED?
A collection notice should be provided to an individual each time the organisation collects personal information from them. When collecting personal information in connection with different functions or activities, organisations will need to provide more than one collection notice. This is because the purposes for collection, the type of information collected, and the way in which the information is used and disclosed may differ with each activity. For example, information collected when receiving complaints from the general public will be different from information collected as part of a recruitment process, and it will be used in different ways.
IPP 1.3 states that a collection notice must be provided before or at the time of collection. Where this is not practicable, IPP 1.3 allows for notice to be given as soon as practicable after the time of collection. For example, with the provision of emergency services, it may not be practicable to provide a collection notice either prior to, or at the time of collection. In this case, organisations should take reasonable steps to ensure individuals are made aware of the matters set out in IPP 1.3 as soon as possible after the information is collected.
In some situations it may not be reasonable to collect personal information directly from the individual. IPP 1.5 adds that where personal information about an individual is collected from another source, the organisation must take reasonable steps to ensure that the individual is aware of the matters set out in IPP 1.3, unless doing so would pose a serious risk to the life or health of any individual.
Organisations will need to assess what reasonable steps should be taken to give notice to the individual that information about them has been collected from a third party. This will include considering issues such as the ability of the organisation to contact the individual, the nature of the information collected, and what will be done with the information.
An organisation is required to take reasonable steps to ensure that an individual is aware of the various matters set out in IPP 1.3. What constitutes ‘reasonable steps’ will depend on a number of factors, which may include:
- if notice is likely to have already been received by the individual, for example, where an individual is responding to an organisation that provided a collection notice in the initial communication;
- the nature of the particular information collected and its impact on privacy;
- what will be done with the information, who will have access to it and how it will be used; and
- the ability of the organisation to contact the individual concerned.
LAYERING COLLECTION NOTICES
Where appropriate, an organisation may decide to ‘layer’ its collection notice. This may involve, for example, providing a concise summary of key points on a form, sign, or poster, and then referring, or providing a link to the full collection notice. Collection notices must be specific for each individual instance of collection; a generic collection notice will not be sufficient.