This information sheet is designed to provide general guidance to organisations that are bound by the Privacy and Data Protection Act 2014 (PDPA) – that is, Victorian public sector organisations, including local councils and contracted service providers to Victorian public sector organisations. 
The PDPA contains 10 Information Privacy Principles (IPPs) that govern the way that an organisation collects and handles personal information. The IPPs also specify that an organisation must take reasonable steps to ensure that information it handles is accurate, complete and up to date.
Section 3 of the PDPA defines personal information as recorded information or an opinion (whether true or not) about an individual whose identity is apparent or can reasonably be ascertained from the information or the opinion. Examples of personal information include a person’s name, sex, date of birth, address, financial details, marital status, and education and employment history. Some personal information is classed as ‘sensitive information’ Sensitive information is information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or a trade union, sexual preferences or practices and criminal record .
This information sheet outlines a Victorian public sector organisations’ obligation under IPP 1.3 to provide a ‘collection notice’ when collecting personal information.
What is a collection notice?
A collection notice is a statement that is provided to an individual at or before the time (or if that is not practical as soon as possible after) an organisation collects personal information from that individual. Some examples of when a collection notice would be necessary include when a local council collects personal information on a planning application form, or when an employer collects personal information as part of a recruitment process.
In addition to meeting the requirements of IPP 1.3, giving notice promotes transparency abut an organisation’s collection and handling of personal information, and ensures individuals are aware of their rights and obligations in relation to giving up (and later accessing) their information.
Before drafting a collection notice an organisation should first consider whether the collection of information is authorised or permitted by its enabling legislation, the PDPA, or some other law and whether that law specifies what the organisation is permitted to do with the collected information. Organisations should then determine what information they need to collect from individuals, bearing in mind that IPP 1.1 permits collection of personal information only where it is necessary for the organisation’s functions or activities. Before information is collected organisations should ask themselves whether their functions could be achieved without collecting personal information.
What should a collection notice contain?
IPP 1.3 states:
At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of –
a) the identity of the organisation and how to contact it; and
b) the fact that the individual is able to gain access to the information; and
c) the purposes for which the information is collected; and
d) to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and
e) any law that requires the particular information to be collected; and
f) the main consequences (if any) for the individual if all or part of the information is not provided.
These requirements are discussed in detail below.
(a) the identity of the organisation and how to contact it; and
(b) the fact that the individual is able to gain access to the information
An organisation must inform an individual from whom it is collecting personal information of the identity of the organisation and its contact details. It must also advise that the individual is able to gain access to the personal information held about them upon request.
(c) the purposes for which the information is collected
This provision requires organisations to inform individuals of the purposes for which their personal information is being collected. The purpose should be clearly stated and needs to be more specific rather than a general reference to a broad power such as ‘licensing’, ‘oversight’ or ‘planning’. In some situations there may be several purposes of collection (for example, where several purposes are laid out in statute). In these cases all purposes should all be listed.
The IPPs are based on the premise that personal information should only be used or disclosed for the primary purpose for which the information was collected, subject to limited exceptions (IPP 2). The purpose for which information is collected governs its future use and disclosure. Organisations should aim to list all purposes for which they collect personal information, in order to ensure they are able to use the information in all manners intended.
One exemption to IPP 2 is use or disclosure of personal information for a secondary purpose that is related to the primary purpose (IPP 2.1(a)). VCAT has made a number of determinations about what constitutes a permissible secondary purpose. For example, the secondary disclosure of a tertiary student’s contact details to a debt collector after the student incurred a debt for a course was found to be sufficiently related to the primary purpose of collecting the information, being the enrolment of fee-paying students. On the other hand, where the primary purpose of collection was to enable a Council to make contact with a person who found a lost dog, the subsequent disclosure of the finder’s contact details to the grateful owner was not found to be a sufficiently related secondary purpose to satisfy IPP 2.1(a).
(d) to whom the organisation usually discloses information of that kind
This provision requires organisations to ensure that individuals are made aware of where their information is likely to flow. A collection notice can explicitly list the individuals/organisations to whom information is disclosed, for example ‘State Revenue Office’ or ‘Australian Taxation Office’. Alternatively organisations can be referred to by type, such as ￼‘state and federal taxation authorities.’ Where the information is usually shared for specific purposes, the notice should also refer to these. For example, the notice might say information is usually disclosed to ‘state and federal electoral commissions for the purpose of updating the joint electoral roll.’
If an organisation collects personal information with the intention of publishing or disseminating it (for example online or in a brochure or document which is available to the public), this should be made explicitly clear to individuals at the time of collection. Organisations should be aware that online publication is effectively permanent disclosure to the world, with few limitations or controls over possible uses.
Organisations should, where possible, offer individuals an opportunity to restrict the publication of their personal information, for example where an individual has a concern that such disclosure may pose a risk to their personal safety. In some circumstances laws expressly provide an option to restrict publication or disclosure.
(e) any law that requires the particular information to be collected
Where an organisation has power to compulsorily obtain information, this should be made clear. The collection notice should state which law is being relied upon as the basis for collection, as this makes the organisation’s authority clear and allows an individual to verify the stated authority.
(f) the main consequences (if any) for the individual if they do not provide all or part of their information
This provision requires that organisations provide notice about the consequences for individuals for not providing all or part of the personal information requested. For instance, an organisation may not be able to provide a full range of services if certain information is not provided. Where an individual has an option not to provide certain details (such as an email address, phone number, age or even name), that should be made clear. Such information may still be regarded as necessary to an organisation in that it assists it in effectively and efficiently carrying out its functions and activities. However, there may be instances where an individual does not wish to participate or take advantage of all of the organisation’s activities and so may prefer to withhold certain information.
When should a collection notice be provided?
A collection notice should be provided to an individual each and every time the organisation collects personal information. Organisations that collect personal information in connection with different functions or activities will need to provide more than one collection notice. This is because the purposes for which the information is collected, the type of information collected, and the way in which the information is used and disclosed may differ with each activity. For example, the information collected by an organisation when receiving complaints from the general public will be vastly different from the information collected by an organisation as part of a recruitment process.
IPP 1.3 states that a collection notice must be provided before or at the time of collection. Where this is not practicable, IPP 1.3 allows for notice to be given as soon as practicable after the time of collection. The provision of emergency services is an example of a situation in which it may not be practicable to provide a collection notice either prior to, or at the time of collection. Where this is the case, organisations should take reasonable steps to ensure individuals are made aware of the matters set out in IPP 1.3 as soon as practicable after the information is collected.
The IPPs are based on the premise that personal information should only be used and disclosed for the primary purpose for which the information was collected, or for a secondary related purpose in certain circumstances. The purpose for which information is collected governs its future use and disclosure.
￼Issues for consideration
Sensitive information is defined in Schedule 1 of the Act and is summarised in the opening section of this Information sheet. An organisation should consider whether it collects any sensitive information from individuals. IPP 10 limits the circumstances in which sensitive personal information can be collected.
Consideration should also be given to whether the organisation collects any health information. Health information is dealt with under the Health Records Act 2001, administered by the Health Services Commissioner. Where health information is collected, consideration should be given as to whether the organisation is compliant with their obligation to provide a collection notice under Health Privacy Principle 1. For more information, please contact the Victorian Health Services Commissioner.
Information collected from third parties
IPP 1.4 states that information about an individual should only be collected from that individual. The PDPA recognises that in some situations it may not be reasonable or practicable to collect personal information directly from the individual. IPP 1.5 adds that where an organisation collects personal information about an individual from someone else, the organisation must take reasonable steps to ensure that the individual is aware of the matters set out in IPP 1.3 (see ‘What should a collection notice contain?’ above), unless to do so would pose a serious risk to the life or health of any individual.
There are some obvious circumstances where an organisation will collect information about an individual from another individual or organisation. For example, this could occur when an individual discloses information about their family or residential circumstances when applying for financial assistance or welfare benefits.
In this situation, an organisation will need to assess what reasonable steps should be taken to give notice to the individual that information about them has been collected from a third party. This will include considering issues such as the ability of the organisation to contact the individual, the nature of the information collected, and what will be done with the information.
What constitutes an organisation taking ‘reasonable steps’ to provide a collection notice?
IPP 1.3 requires an organisation to take reasonable steps to ensure that an individual is aware of the various matters set out in IPP 1.3. What constitutes ‘reasonable steps’ will depend on a number of factors, which may include:
- • if notice is likely to have already been received by the individual, for example, where an individual is responding to correspondence from an organisation that provided a collection notice in the initial communication
- • how the information has been collected
- • the nature of the particular information collected and its impact on privacy
- • what will be done with the information, including who will have access to it and how it will be used
- • the ability of the organisation to contact the individual concerned.
After considering the above factors, an organisation may decide that, it is not reasonable to take any steps to give an individual notice of the various matters set out in IPP 1.3. An example of this situation could be where an organisation receives unsolicited correspondence that is not necessary for its functions or activities, which it simply files and stores in compliance with the Public Records Act 1973. However if at any time the organisation decides to use or disclose that information for a particular purpose it must provide the individual with appropriate notice.
￼Publishing a collection notice
Some practical examples of how collection notices can be provided to individuals may include:
- a written notice, for example:
• made available on the organisation’s website where information is collected online
• sent with initial correspondence when an individual is commencing their interactions with the organisation
• included in forms which are used by the organisation to collect information.
- notice included in an automated recorded message where individuals provide information to an organisation over the telephone, or set out in a standard script which is read out to individuals by staff when collecting information
- notice included in brochures, posters and counter signage displayed in locations where individuals make contact with an organisation or where personal information is collected.
As a further example, organisations often conduct events at which the organisation has its staff (or an external party) take photographs to be used by the organisation in the future for promotional purposes. In this scenario, where individuals are required to confirm their attendance at an event, or where the organisation is aware of the specific individuals attending, it may be reasonable for the organisation to provide the individuals attending the event with the appropriate notice that their photograph may be captured prior to the event. Alternatively if attendance at the event is open and the organisation is unable to contact individuals attending beforehand, displaying clear signs containing the relevant information may be considered ‘reasonable steps’ in some cases.
Layering collection notices
Collection notices should be easy to read and understand. Where all the information required under IPP 1.3 is contained in a single notice, it may become too long and complex for individuals to comprehend. In these cases organisations may consider using a layered collection notice, by first providing a concise summary of key points and then providing more detailed information in further documents.
For example, in some cases, such as where CCTV surveillance is conducted, it may be sufficient to post brief information on a sign, such as the identity and address of the organisation conducting the surveillance, a brief reference to why surveillance is underway, and a website where individuals can find more complete details about IPP 1.3 matters.
Commissioner for Privacy and Data Protection
Level 6, 121 Exhibition Street
PO Box 24014
Melbourne Victoria 3001
Telephone: 1300 666 444
Level 26, 570 Bourke Street
Melbourne Victoria 3000
Telephone: 1300 582 113
Please note that the contents of this information sheet are for general information purposes only, and should not be relied upon as legal advice. CPDP does not guarantee or accept legal liability whatsoever arising from, or connected to the accuracy and reliability of the contents of this document. We encourage your organisation to obtain independent legal advice as necessary.