Whenever an agency collects personal information it must comply with the privacy principles. Information Privacy Principles (IPPs) 1-3 deal with the collection of personal information by an agency which is not a health agency. National Privacy Principle 1 deals with collection of personal information by a health agency.
Collection of personal information
Collection of personal information is a fundamental part of information privacy regulation. It is important that agencies take care when collecting personal information. The primary considerations when collecting personal information are:
- what information is needed to carry out the agency’s purpose?
- can the purpose be achieved without collecting it?
If the answer to the second question is yes then the information should not be collected.
While some agencies may generate personal information, in most instances personal information held by agencies has been collected – that collection must comply with the privacy principles.
Generally, when collecting personal information an agency must:
- have a specific purpose in mind for it
- not collect any more than is necessary
- not use unfair or unlawful means of collection.
Collecting personal information because the agency thinks it may need it at some time in the future is likely to breach the privacy principles relating to collection.
Solicited versus unsolicited personal information
Some of the privacy principles only apply to solicited information or information the agency asks the individual to provide. The definition of information an agency has solicited or asked for is quite broad.
If an agency provides a way for people to send it specific information and/or invites them to do so, information provided in response is not unsolicited information.
Examples of information that is not unsolicited information:
- information provided in a webform for submitting complaints
- information provided in an application form
- voluntary feedback on a project where the agency invites it
- information provided in a voluntary survey.
The privacy principles apply to personal information whether it is collected by manual or by automated means. Automated collection of personal information may occur through the use of technologies such as anti-virus software, internet use logs, database access logs, cookies or email scanning.
These sorts of collection methods usually capture large amounts of information and not all of it will relate to the functions or activities of the agency, such as personal email or documents.
When agencies are setting up or operating automated systems, they should take all reasonable steps to ensure that:
- the collection or monitoring fulfills a legitimate purpose that relates to the agency’s functions or activities
- the personal information collected is kept to the minimum necessary to achieve that purpose
- the least intrusive method of collection or monitoring is adopted.
It is important that personal information collection and handling practices are transparent and documented, and that people are given collection notices that comply with IPP 2 or NPP 1. Where the automated process monitors staff use of the computer network the collection notice could be included in the message displayed when staff log-on to the system.
Current as at: July 19, 2013