The Privacy Act 1988 (Cth) is the law governing the privacy obligations of businesses in Australia. The Australian Privacy Principles (APPs) outline 13 rules that APP entities must follow when handling personal information. It is crucial for businesses to comply with these principles, especially as personal data becomes more valuable. Amendments to Australia’s privacy laws have increased penalties for businesses that seriously or repeatedly interfere with the privacy of individuals. This article will discuss the obligations of APP entities when collecting personal information from a third party.
What is an APP Entity?
Australian privacy legislation applies to APP entities. Your business is considered an APP entity if you have an annual turnover of more than $3 million. If your business has less than $3 million annual turnover, you may still be considered an APP entity if you:
- provide a health service or otherwise hold health information (other than that of your employees);
- handle personal information for a benefit, service or advantage; or
- are a service provider under a Commonwealth contract.
APP entities must comply with the APPs if they collect, disclose, or handle individuals’ personal information.
What is Personal Information?
The Privacy Act defines ‘personal information’ as:
“information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recording in a material form or not.”
“Sensitive information”, which includes health information, is provided additional protection under Australian privacy laws given the sensitive nature of this information.
Continue reading this article below the formCollecting Personal Information From a Third Party
APP entities can collect solicited personal information and must notify individuals about the collection of their personal information, as stated in APP 3 and APP 5, respectively.
APP entities may permissibly collect personal information where it is reasonably necessary for the organisation’s functions or activities. To collect personal information lawfully, your business must use fair means and obtain the information directly from the individual unless this is unreasonable or impractical.
When deciding whether collecting personal information directly from an individual is unreasonable or impractical, it’s important to consider the context. However, some considerations that may be relevant include:
- whether the individual would reasonably expect their personal information to be collected from another source;
- the sensitivity or type of personal information that is being collected;
- if the collection poses any risks;
- the time and cost involved if the entity was to collect the information directly from the individual; and
- whether collecting the information directly would jeopardise the integrity or purpose of the personal information.
Notification of Collecting Personal Information From a Third Party
APP 5 requires entities to take reasonable steps to notify the individual of certain matters or ensure the individual is aware of those matters when collecting their personal information.
“Certain matters” include:
- the name and details of the business collecting the information;
- the purposes of collection;
- the consequences if the personal information is not collected;
- where the personal information is usually disclosed;
- information or a link to the entity’s privacy policy; and
- whether the personal information will likely be disclosed overseas, and if so, to which countries.
This applies to both personal information collected directly from an individual or obtained from a third party. When getting personal information from a third party, make sure they have informed the individual about those “certain matters”. Enforceable contracts can ensure third-party collection of personal information follows the APPs.
Before collecting personal information through a third party, you must demonstrate that it is unreasonable or impractical to collect the information directly. If that is the case and your business elects to use a third party to gather individuals’ personal information, you must then ensure the third party collects the information in line with the APP requirements. The most effective way to ensure that this occurs is by having a provision in your business’s contract with the third party.
Using Address-Harvesting Software
While not explicitly covered under Australian privacy laws, the Spam Act 2003 (Cth) also makes it illegal to use, supply or acquire address-harvesting software or an electronic address list produced by address-harvesting software. Address-harvesting software is technology that scans the internet to find personal information, often contact details, of individuals, typically for the purpose of direct marketing or lead generation. Your business must avoid using address-harvesting software in all instances.

This fact sheet outlines the changes to data and privacy protection in 2023.
Key Takeaways
Best practice for when your business is collecting personal information – whether for the proper execution of your business’ functions or activities, direct marketing or another purpose – is to collect the personal information directly from the individual. When your business collects information directly from the individual, it is imperative to ensure they consent to and understand the purpose of the collection.
If you need help understanding your privacy obligations, contact our experienced data, privacy and IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Australia’s spam laws state that you and your business cannot use, acquire or supply address-harvesting software or lists produced by address-harvesting software.
Australian privacy law requires businesses to collect personal information directly from the individual unless it is unreasonable or impractical to do so. Given the ease with which you can collect personal information online, the threshold for what is unreasonable or impractical is a high one.
The privacy laws apply to businesses that are considered APP entities. However, it is best practice to have systems and processes that align with the privacy laws so that you will be well-positioned when your business surpasses the $3 million annual turnover threshold.
We appreciate your feedback – your submission has been successfully received.