Skip to content
LegalVision

Can I Collect an Individual’s Personal Information From a Third Party?

Avatar photo

By Tim Jones
Senior Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

The Privacy Act 1988 (Cth) is the law governing the privacy obligations of businesses in Australia. The Australian Privacy Principles (APPs) outline 13 rules that APP entities must follow when handling personal information. It is crucial for businesses to comply with these principles, especially as personal data becomes more valuable. Amendments to Australia’s privacy laws have increased penalties for businesses that seriously or repeatedly interfere with the privacy of individuals. This article will discuss the obligations of APP entities when collecting personal information from a third party.

What is an APP Entity?

Australian privacy legislation applies to APP entities. Your business is considered an APP entity if you have an annual turnover of more than $3 million. If your business has less than $3 million annual turnover, you may still be considered an APP entity if you:

  • provide a health service or otherwise hold health information (other than that of your employees);
  • handle personal information for a benefit, service or advantage; or
  • are a service provider under a Commonwealth contract.

APP entities must comply with the APPs if they collect, disclose, or handle individuals’ personal information.

What is Personal Information?

The Privacy Act defines ‘personal information’ as: 

“information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recording in a material form or not.”

“Sensitive information”, which includes health information, is provided additional protection under Australian privacy laws given the sensitive nature of this information.

Continue reading this article below the form
Loading form

Collecting Personal Information From a Third Party

APP entities can collect solicited personal information and must notify individuals about the collection of their personal information, as stated in APP 3 and APP 5, respectively.

APP entities may permissibly collect personal information where it is reasonably necessary for the organisation’s functions or activities. To collect personal information lawfully, your business must use fair means and obtain the information directly from the individual unless this is unreasonable or impractical.

When deciding whether collecting personal information directly from an individual is unreasonable or impractical, it’s important to consider the context. However, some considerations that may be relevant include:

  • whether the individual would reasonably expect their personal information to be collected from another source;
  • the sensitivity or type of personal information that is being collected;
  • if the collection poses any risks;
  • the time and cost involved if the entity was to collect the information directly from the individual; and
  • whether collecting the information directly would jeopardise the integrity or purpose of the personal information.

Notification of Collecting Personal Information From a Third Party

APP 5 requires entities to take reasonable steps to notify the individual of certain matters or ensure the individual is aware of those matters when collecting their personal information.

“Certain matters” include:

  • the name and details of the business collecting the information;
  • the purposes of collection;
  • the consequences if the personal information is not collected;
  • where the personal information is usually disclosed;
  • information or a link to the entity’s privacy policy; and
  • whether the personal information will likely be disclosed overseas, and if so, to which countries.

This applies to both personal information collected directly from an individual or obtained from a third party. When getting personal information from a third party, make sure they have informed the individual about those “certain matters”. Enforceable contracts can ensure third-party collection of personal information follows the APPs.

Before collecting personal information through a third party, you must demonstrate that it is unreasonable or impractical to collect the information directly. If that is the case and your business elects to use a third party to gather individuals’ personal information, you must then ensure the third party collects the information in line with the APP requirements. The most effective way to ensure that this occurs is by having a provision in your business’s contract with the third party. 

Using Address-Harvesting Software

While not explicitly covered under Australian privacy laws, the Spam Act 2003 (Cth) also makes it illegal to use, supply or acquire address-harvesting software or an electronic address list produced by address-harvesting software. Address-harvesting software is technology that scans the internet to find personal information, often contact details, of individuals, typically for the purpose of direct marketing or lead generation. Your business must avoid using address-harvesting software in all instances.

Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

Key Takeaways 

Best practice for when your business is collecting personal information – whether for the proper execution of your business’ functions or activities, direct marketing or another purpose – is to collect the personal information directly from the individual. When your business collects information directly from the individual, it is imperative to ensure they consent to and understand the purpose of the collection.

If you need help understanding your privacy obligations, contact our experienced data, privacy and IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

Can I purchase an email list from a third party?

Australia’s spam laws state that you and your business cannot use, acquire or supply address-harvesting software or lists produced by address-harvesting software.

Do I have to collect personal information directly from the individual concerned?

Australian privacy law requires businesses to collect personal information directly from the individual unless it is unreasonable or impractical to do so. Given the ease with which you can collect personal information online, the threshold for what is unreasonable or impractical is a high one.

Do the privacy laws apply to my business?

The privacy laws apply to businesses that are considered APP entities. However, it is best practice to have systems and processes that align with the privacy laws so that you will be well-positioned when your business surpasses the $3 million annual turnover threshold.

Register for our free webinars

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now

Construction Industry Update: What To Expect in 2026

Online
Stay ahead of major construction regulatory changes. Register for our free webinar.
Register Now
See more webinars >
Tim Jones

Tim Jones

Senior Lawyer | View profile

Tim is a Senior Lawyer in LegalVision’s Employment, Corporate and Commercial teams.

Qualifications: Bachelor of Laws, Bachelor of International Studies, Macquarie University.

Read all articles by Tim

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Is My Organisation Exempt From the Spam Act?

Key Considerations When Sharing Personal Information with Overseas Contractors

Key SaaS Privacy and Data Considerations

Legal Considerations for Engaging Overseas Contractors vs. Local Contractors

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards