Have you ever found yourself the recipient of personal information without asking for it? For example:
- misdirected mail;
- emails accidentally copied to you;
- employment applications sent to you that are not in response to an advertised vacancy; and
- receiving more information from clients than you asked for (e.g. detailed financials).
If you have, it might be classified as unsolicited personal information under the Australian Privacy Principles (APPs). The APPs require certain steps to be taken when handling unsolicited personal information, including:
- determining whether the information could have otherwise been collected;
- destroying or de-identifying the information in certain circumstances; and
- appropriately dealing with information.
Determine whether the unsolicited information could have been otherwise collected
The first step in dealing with unsolicited personal information is to determine whether you could have otherwise collected the personal information.
Under the APPs, you can generally only collect personal information if it is reasonably necessary for, or directly related to, one or more of your functions or activities. Further, if the information is sensitive information, you generally can only collect it if the individual concerned consents to the collection.
Dealing with unsolicited information personal information that could not have been collected
If you could not have otherwise collected the information, you have an obligation to destroy or de identify the information as soon as practicable, unless it is unlawful or unreasonable to do so.
- It is lawful if the destruction or de-identification is not criminal, illegal or prohibited or proscribed by law. For example, it would be unlawful to destroy information where a legislative provision requires you to retain it for a specified purpose (i.e. auditing, inspection or reporting purposes).
- Reasonableness is determined in the circumstances. Relevant considerations may include the amount and sensitivity of the information, whether it’s impractical to separate any comingled unsolicited from solicited information or whether an individual has expressly requested that you return the information to them.
Dealing with unsolicited personal information that could not have been collected and is not destroyed or de-identified
If you are not obliged to destroy or de-identify the unsolicited personal information, you may be able to retain the information, however you must do so in accordance with the APPs.
This means, for example, that:
- a notice of collection under APP 5 may be required;
- the security of the personal information must be protected; and
- individuals must be able to request access to the personal information and request that you correct the personal information.
Why does it matter?
Failure to comply with the APPs may lead to penalties of up to $1.7 million (for corporations) and up to $340,000 (for individuals) if they seriously or repeatedly interfere with a person’s privacy.
If you find yourself in a position where you have received personal information without taking steps to collect it, we recommend you run through the above to determine how to deal with it. These tips are not exhaustive considerations and you should see APP 4 and the APP guidelines for more information.
The APPs also require you to act within a reasonable period after receiving the information, which will depend on the circumstances. In any event, you should make a decision promptly.