By Alec Christie, Partner
As noted in our first article under this title, the COVID-19 pandemic has brought into focus a number of privacy misconceptions or ‘fake privacy advices’ which are, as regards privacy compliance, just as dangerous as the COVID-19 ‘fake news’ spread by social media. Unfortunately, since our first article, these ‘fake privacy advices’ have continued unabated.
The fake privacy advice often relates to privacy obligations which are rarely considered, at best, have been forgotten or, at worst, are simply ignored. So, in this second edition of “COVID-19 is not a privacy ‘get out of jail free’ card we examine another nugget of fake privacy advice and the two ‘forgotten’ APPs it relates to. The fake privacy advice is along the lines that ‘you have a right to collect personal information via third parties’, such ‘insulates you from any APP collection failings’ and/or that collecting personal information via third parties ‘in practice reduces your collection obligations’ and the two APPs it ignores are APP 3.5 and APP 3.6:
- you must only collect personal information by lawful and fair means (APP 3.5); and
- you must only collect personal information from the individual it relates to unless it is unreasonable or impracticable to do so (APP 3.6).
Together these overlooked APPs set a reasonably high bar for your collection of personal information about an individual from a third party (ie rather than from the individual). However, this fake privacy advice is especially dangerous in the current pandemic where companies are collecting information from a number of sources about whether or not their employees, contractors, customers and/or others are infected with COVID-19.
APP 3.6 – Only collect personal information from the individual
Is it actually ‘unreasonable or impracticable’ to collect the personal information in question directly from the individual? For example, if you have the means to communicate with the relevant individual, why is it then unreasonable or impracticable to collect the personal information from that individual directly?
Simply saying it is unreasonable or impracticable to collect the information directly does not make it so. Even if it is more efficient, easier or less costly to collect the personal information about an individual from a third party (rather than directly), this is not good enough to meet the requirement of it being unreasonable or impracticable. You must be able to show that it is truly unreasonable (eg cost prohibitive, not just more costly) or impracticable (eg you have never communicated with the individual and do not have their contact details) before this exception to the obligation to only collect personal information from the individual themselves applies.
APP 3.6 requires that you examine all collecting of personal information from third parties (ie other than directly from the individual) and ask ‘could we collect this information directly from the individuals in question?’ If yes, then you are only exempted from the obligation to do so if it is justifiably ‘unreasonable or impracticable’ (not just more difficult or more costly) to do so. In fact, as this will not be established in most cases, where you do establish that it is unreasonable or impracticable to collect the information directly we recommend that you document your thought process, the supporting evidence and the conclusion for every instance where you collect personal information from a third party rather than directly from the individual. Of course, where you cannot establish that it is unreasonable or impracticable for you to collect the personal information directly from the individual you must only collect that personal information directly (ie no third party collection) .
APP 3.5 – Only collect personal information by lawful and fair means
If you collect personal information from a third party who has not collected such in accordance with the APPs (eg it has failed to obtain consent for collection or disclosure of sensitive information and/or has not appropriately notified the individual of collection under APP 5), does their breach “taint“ your collection of that person information under APP 3.5?
Absolutely, yes it does. You cannot meet your obligation in APP 3.5 to only collect personal information by lawful and fair means if you obtain it from a third party who has not complied with the APPs in collecting and/or disclosing to you that information. That is, if the third party has not collected it by lawful and fair means (ie in compliance with the Privacy Act/APPs) their actions taint your subsequent collection of that person information. That is, you cannot lawfully or fairly collect personal information from a third party that has not lawfully and fairly collected the personal information in the first place or lawfully disclosed it to you. Even if you have obtained the information from that third party in good faith without notice of their unlawful or unfair collection or disclosure of such you will have breached APP 3.5 simply by receiving (ie collecting) that information from that third party.
Therefore, you should assess whether or not that third-party (i) has itself collected the personal information by lawful and fair means and (ii) can lawfully disclose it to you. Clearly, this requires some level of due diligence on any third party providing you with personal information. Ignorance is no excuse. It is not good enough to say that you assumed, given that they were providing the information in Australia, that they would have complied with the APPs.
What you need to do now
In the current pandemic, while you may have an exception from obtaining consent to directly collect health information (i.e. whether employees or contractors are infected), this does not exempt you from other privacy obligations or necessarily apply to personal information provided to you by a third party. Thus, you need to do a “due diligence“ of sorts to determine whether (i) it really is unreasonable or impracticable for you to collect this information directly and (ii) if you are collecting this (or any other) personal information from a third party, that third party has the right to disclose such to you and has collected that personal information by lawful and fair means in compliance with the APPs.
Get the latest news insights and articles straight to your inbox, simply enter your details.