4 min read
December 13, 2022
Fact Checked

How to Collect Personal Information: Consent & Opt‑out Rules4 min read

Published By:

Gavin McInnes

Founder of GRM LAW

Key Takeaways:

Privacy Act Compliance: You must comply with the Privacy Act if you are an APP entity collecting personal information from any source for inclusion in a record or generally available publication.
Mandatory Consent for Sensitive Data: While general personal information does not always require permission, you must obtain consent to collect sensitive information unless specific exceptions under APP 3.4 apply.
Securing Valid Consent: It is highly advisable to obtain express consent (such as a written or electronic signature) rather than relying on implied consent, ensuring the individual’s agreement is voluntary, current, and specific.
Strict Rules for Opt-Out Mechanisms: Using an opt-out mechanism to infer consent is only appropriate in limited circumstances and must meet strict criteria, including being clearly presented and free of financial cost.

Read the Full Details

You will be collecting personal information and therefore must comply with the Privacy Act if:

you are an APP entity; and
you are collecting the personal information for inclusion in a record or generally available publication.

A record includes a document or an electronic or other device, but excludes anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition.

A generally available publication means a magazine, book, article, newspaper or other publication that is, or will be, generally available to members of the public.

The collection of personal information involves the gathering, acquiring or obtaining of personal information from any source and by any means. It can include the collection of the information from individuals, other entities, generally available sources, such as newspapers or websites, surveillance cameras and the metadata generated by web browsing.

Do I need permission to collect personal information?

In general, it is not necessary to obtain consent to collect most types of personal information. However, consent must be obtained to collect sensitive information about an individual, unless one of a number of exceptions set out in APP 3.4 applies, for example:

the collection of the information is required or authorised by Australian law or court order;
the APP entity is an enforcement body and reasonably believes that the collection of the information is reasonably necessary for or directly related to one or more enforcement related activities conducted by the entity; and
the APP entity is a non-profit organisation and the information relates to the activities of the organisation and relates solely to the members of the organisation, or individuals who have regular conduct with the organisation in connection with its activities.

Express vs Implied consent

Where consent is required, it is possible to obtain either express or implied consent. However, it is generally advisable to obtain express consent to the collection of personal information. This could include a handwritten signature or use of an electronic medium or voice signature to signify agreement. Whilst oral consent is sufficient to meet the requirement of express consent, it can be risky and does not constitute best practice in this area.

The Privacy Commissioner has identified 4 elements of consent:

the individual is adequately informed before giving consent;
the individual gives consent voluntarily;
the consent is current and specific; and
the individual has the capacity to understand and communicate their consent.
You should not infer consent merely because you have provided an individual with notice of a proposed collection of personal information. Consent also may not be implied if an individual’s intent is ambiguous or subject to reasonable doubt.

Opt-out Mechanics for obtaining consent

The Privacy Commissioner’s policy is that use of an opt-out mechanism to infer an individual’s consent will only be appropriate in limited circumstances, as the individual’s intention in failing to opt-out may be ambiguous. Where an opt-out mechanism is used, the Commissioner has said that the following factors must be met:

the opt out option must be clearly and prominently presented;
it is likely that the individual received and read the information about the proposed collection, use or disclosure, and the option to opt out;
the individual was given information on the implications of not opting out;
the opt out option was freely available and not bundled with other purposes;
it was easy for the individual to exercise the option to opt out, for example, there was little or no financial cost or effort required by the individual;
the consequences of failing to opt out are not serious; and

an individual who opts out at a later time will, as far as practicable, be placed in the position as if they had opted out earlier.

_______________________________________________________________________________________________________________________________________________________________

For more information, please contact Gavin McInnes on 07 3367 8681 or gmcinnes@grmlaw.com.au.

The information contained in this article is general in nature and cannot be regarded as anything more than general comment. Readers of this article should not act on the basis of this comment without consulting one of GRM LAW ‘s legal practitioners who will consider their particular circumstances.

Expertise

GRM LAW has a wide range of experience assisting companies in all aspects of business, corporate and IT law.

Not only will you find that GRM LAW is likely to have assisted someone in your exact situation, but you’ll find that a GRM LAW lawyer can distill a complex legal issue into a set of actionable options for you to consider.