Collecting personal information from a third party comes with some risk. In this article, our Privacy Lawyer, Farrah Motley, explores ways that you can collect personal information from a third party and when not to.
The Privacy Act 1988 (Cth) governs the privacy obligations of businesses and governments in Australia. There are 13 Australian Privacy Principles (APPs). These privacy rules explain the process that APP entities must follow when collecting, using and storing personal data.
Australia’s privacy laws have been updated. Businesses that seriously or repeatedly violate people’s privacy will now face higher penalties. Australian businesses need to take data and privacy seriously.
What is an APP Entity?
The Privacy Act applies to what is referred to as an APP entity. If a business meets the following criteria, it will be considered an APP entity:
has an annual turnover of more than $3 million; or
has less than $3 million annual turnover, but the business provides a health service or holds health information (other than that of employees), handles personal data for a benefit, service or advantage or is a service provider under a Commonwealth contract.
If a business is an APP entity, it must comply with the Privacy Act, including the 13 APPs.
This article does not discuss the State and Territory Privacy Acts.
What is Personal Information?
Personal information
The definition of personal information under the Privacy Act is:
information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recording in a material form or not.
In summary, personal information means information that may identify an individual. This may include information such as date of birth, telephone number, email address, bank account details and other data which may reveal an individual’s identity.
Sensitive information
Sensitive information includes health information, medical records and other personally identifiable information that is sensitive. Because of this, APP entities must take additional steps to protect this sensitive data.
Here is how the Privacy Act defines sensitive information:
sensitive information means:
(a) information or an opinion about an individual’s:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual orientation or practices; or
(ix) criminal record; that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
Collecting Personal Information From a Third Party
APP entities are allowed to collect personal information if:
they have notified those people about the collection of their personal information
it is reasonably necessary for the functions or activities of the business
they use fair means and obtain the information directly from the individual unless this is unreasonable or impractical
Lawful and fair collection
APP 3, which talks about data collection, outlines the requirements for lawful and fair collection, including collecting information from third parties.
Use and disclosure
APP 6, which relates to use and disclosure, outlines how organisations can use and disclose personal information. When you collect personal data from a third party, consider whether the intended use and disclosure align with the original purpose for which you collected the information.
For example, were contact details collected for the purpose of marketing the products of the business that originally collected the information? If so, you may run into trouble with the Australian Information Commissioner if that information is collected by a third party and then used by an insurance company to sell insurance.
Unreasonable or impractical
It may not be possible or practical for you to buy personal data from someone else.
Context is important when deciding whether collecting personal information directly is unreasonable or impractical. However, some considerations that may be relevant include:
whether the individual would reasonably expect their personal information to be collected from another source;
the sensitivity or type of personal information that is being collected;
if the collection poses any risks;
the time and cost involved if the entity was to collect the information directly from the individual; and
whether collecting the information directly would risk the integrity or purpose of the personal information.
Consent and collecting personal information from third parties
Businesses may seek to avoid collecting personal data directly from a person. They may argue that they have obtained consent because their privacy policy mentions they collect personal information from third parties. Or a business could argue that the third party from whom they receive the personal information has a privacy policy in place that mentions sharing personal data with other companies.
This may amount to ‘consent’ for the purposes of the Privacy Act, however, it may not be an exception to the direct collection rule. This is because the consent exception is usually only available to the government but not to private businesses.
Notification of Collecting Personal Information From a Third Party
APP 5 requires entities to take reasonable steps to notify the individual of certain matters or ensure the individual is aware of those matters when collecting their personal information.
These certain matters include:
the name and details of the business collecting the information
the purposes of collection
the consequences if the personal information is not collected
where the personal data is usually disclosed
information or a link to the entity’s privacy policy
whether the personal information will likely be disclosed overseas, and if so, to which countries
This applies to both personal information collected directly from an individual or obtained from a third party. Make sure that the third party from whom you receive personal information has informed the person about those certain matters.
Before collecting personal information through a third party, you must demonstrate that it is unreasonable or impractical to collect the information directly. If that is the case and your business elects to use a third party to gather individuals’ personal information, you must then ensure the third party collects the information in line with the APP requirements.
Address-harvesting software and personal information
The Spam Act 2003 (Cth) makes it illegal to use, supply or acquire address-harvesting software or an electronic address list produced by address-harvesting software.
Address-harvesting software is technology that scans the internet to find personal information, often contact details, of individuals, typically for direct marketing or lead generation. Your business must not use address-harvesting software.
Key takeaways for collecting personal information
There may be circumstances where you can collect personal information from a third party. The key question is whether that third party complied with their APP obligations. You should ask for further information if you’re not sure how the third party went about collecting that personal information.
For example, records of consent, and the disclosure that was made to the person. You should also consider entering into a contract with the third party and asking for indemnities if they have breached their privacy obligations and caused you to breach the APPs.
Frequently Asked Questions
Can I buy an email list from a third party?
The short answer is maybe.
If you know that the third party you have bought the list from has received informed and voluntary consent before collecting personal information, you may be able to purchase an email list.
However, if you do buy an email list from a third party, it may be difficult to know whether the people on the list provided consent for their information to be shared or used for marketing purposes.
There’s also a risk that the quality of email lists that you buy will be low-quality. This is because they may not be up-to-date, accurate, or relevant to the audience you want to communicate with. Businesses have a responsibility to ensure that personal information that is collected from a third party is accurate, complete, and up-to-date. This is required by APP 10 which talks about the quality of personal information.
Sending unsolicited emails to individuals who have not opted in can also lead to a negative experience with your business.
Additionally, sending unsolicited marketing emails without proper consent can be considered spam. This would be a breach of the Spam Act 2003. And you must not buy an email list if the list you are buying is address-harvesting software.
Do I have to collect personal information directly from an individual?
The Privacy Act requires businesses to collect personal information directly from the individual unless it is unreasonable or impractical to do so. Given how easy it is to collect personal information through the internet, the threshold for what is unreasonable or impractical is a high one.
What is de-identified information?
In Australia, de-identified information refers to data that has been processed in a way that removes or modifies certain things that could identify an individual. De-identification is a technique used to protect individuals’ privacy. It does this by reducing the likelihood of their personal information being linked back to them.
De-identified information is typically used for research, analysis, and statistical purposes while minimising the risk of privacy breaches. By removing or altering identifiers, such as names, addresses, and unique identifiers, the data becomes less likely to reveal the identity of the individuals to whom the information relates.
Although de-identification reduces the risk of identification, it might not provide an absolute guarantee of anonymity. Combining de-identified data with other public information can potentially identify individuals. However, this process is complicated and requires the use of advanced data linkage techniques.
The Australian Information Commissioner provides guidelines to protect privacy when sharing or using data for research or analysis.
Does the Privacy Act apply to my business?
If you are an APP entity (as defined by the Privacy Act), privacy laws will apply to you. Even if your business is not yet an APP entity, some platforms require their corporate users to have a privacy policy in place. There is also an expectation by individuals that any handling of personal information is done with care. It is therefore helpful to your business to comply with privacy laws even if your business is not technically an APP entity.
Like this article? Check out:
Data Breaches – Who is responsible for Information Security?