Privacy Officer Training  

 

 

 

Collection

 

NPP 1.1

 

Only personal information that is necessary for a function or activity may be collected

 

This principle means that an organisation cannot collect information for which it has no need.

When will information be "necessary"?

Information will be “necessary” if a legitimate function or activity can't be pursued without it.

To be necessary, information:

• does not need to be indispensable (ie. a business couldn't be conducted without it);

• must be more than merely useful or expedient; and

• generally, should be of more than just marginal relevance.

Information is not necessary simply because it might be useful at some time in the future.

 

Case study 1:  N v Private Insurer [2003] PrivCmrA 12

An insurer’s privacy consent forms were drafted broadly to enable it to obtain any information from a claimant's health service providers, without limiting the consent to information that was relevant to a claim or to a specified time period. 

Do you think such a broad consent form permitting the collection of any health information at any time was permitted under NPP 1.1?  Answer

 

Case study 2: Z v Credit Provider [2004] PrivCmrA 16

The complainant presented a cash cheque to a bank which requested and recorded the complainant’s identity. The complainant alleged that, as the cheque could be made out to cash, the collection of identification information was  not necessary.

Do you think the collection was permitted under NPP 1.1?  Answer

 

next page

(previous page)

Materials written by:

PRIVACY LAW CONSULTING AUSTRALIA

Specialist privacy law & information policy advice

HOME  |  TERMS  |  DISCLAIMER