Whenever an agency collects personal information it must comply with the privacy principles. Information Privacy Principles (IPPs) 1-3 deal with the collection of personal information by an agency which is not a health agency. National Privacy Principle 1 deals with collection of personal information by a health agency.
Collection of personal information is a fundamental part of information privacy regulation. It is important that agencies take care when collecting personal information. The primary considerations when collecting personal information are:
If the answer to the second question is yes then the information should not be collected.
While some agencies may generate personal information, in most instances personal information held by agencies has been collected – that collection must comply with the privacy principles.
Generally, when collecting personal information an agency must:
Collecting personal information because the agency thinks it may need it at some time in the future is likely to breach the privacy principles relating to collection.
Some of the privacy principles only apply to solicited information or information the agency asks the individual to provide. The definition of information an agency has solicited or asked for is quite broad.
If an agency provides a way for people to send it specific information and/or invites them to do so, information provided in response is not unsolicited information.
Examples of information that is not unsolicited information:
The privacy principles apply to personal information whether it is collected by manual or by automated means. Automated collection of personal information may occur through the use of technologies such as anti-virus software, internet use logs, database access logs, cookies or email scanning.
These sorts of collection methods usually capture large amounts of information and not all of it will relate to the functions or activities of the agency, such as personal email or documents.
When agencies are setting up or operating automated systems, they should take all reasonable steps to ensure that:
It is important that personal information collection and handling practices are transparent and documented, and that people are given collection notices that comply with IPP 2 or NPP 1. Where the automated process monitors staff use of the computer network the collection notice could be included in the message displayed when staff log-on to the system.
Current as at: July 19, 2013