Sharing data is a necessary part of doing business in today’s digital economy. In many cases, organisations rely on a third party to collect and pass on relevant personal information and, in a growing number of cases, the generation or inferring of personal information via AI analytics or profiling. These indirect collections (a) are subject to specific privacy obligations and (b) increase the privacy risks, especially if these obligations are not addressed by the organisation.

When are indirect collections permitted?

Whether from a third party or by creating/generating the information, an organisation is only permitted to collect personal information indirectly where it is unreasonable or impracticable for the organisation to collect such from the individual directly.

What is unreasonable or impracticable?

Whether it is objectively ‘unreasonable’ or ‘impracticable’ to collect personal information directly depends on the specific circumstances of each case. However, some of the factors to consider include whether the individual would reasonably expect their personal information to be collected directly from them, the sensitivity of the personal information in question, whether it is impossible in practice to collect it directly, the privacy risks of an indirect collection and the time and costs associated with collecting it directly, but only if such time and costs are excessive to the point of being unreasonable in the extreme given the nature of the personal information.

It may not be ‘unreasonable’ or ‘impracticable’ for an organisation to collect third-party data for the enrichment of their directly collected data to personalise content or optimise targeted advertising to an individual, for example. If not, or if the unreasonableness of direct collection cannot be objectively justified, this will breach APP 3.6. On the other hand, in a financial services context, where a certain business is carried on almost exclusively through intermediaries (such as brokers), which also provide services to the mutual customer, it may be ‘unreasonable’ or ‘impracticable’ for that financial services organisation to break with that business model to directly collect the personal information of potential customers with whom it does not yet have any direct contact.

Collection only by lawful and fair means

Even where an indirect collection is permitted, an organisation must still take steps to ensure that the collection of the personal information by the third party (back to its original collection) or the generated/inferred personal information collected by the organisation was by lawful and fair means.¹ A collection is lawful unless it is illegal, criminal or prohibited by law. A collection is fair where it does not involve deception, intimidation or is not unreasonably intrusive. A covert collection of personal information is usually never fair and is not generally permitted unless an exception applies, for example to the extent a law requires or authorises such a collection.

The organisation must satisfy itself that the third party from which it collects the personal information has collected it in a lawful and fair manner. This includes that the third party (or the party originally collecting it from the individual) has notified the individual in its privacy policy/collection notice of the disclosure to the organisation and its collection and disclosure does not contravene any other APPs or legal obligations. For example, if the personal information was scraped from a publicly available website, did such breach the conditions of use of that website? If so, this will result in that collection by the third party and the organisation being in breach of APP 3.5.As to what constitutes an unfair collection, considerations will include, whether it was collected from an individual without appropriate notice being provided or from an individual who is cognitively impaired without appropriate protections in place, failing to take into account cultural differences or where the purposes of the collection were misrepresented or where any deception is involved.

APP 3.5 (along with APP 3.6) must also be applied to generated or inferred personal information collected by the organisation although, to date, this has rarely occurred.

How to limit the risks

For each indirect collection of personal information organisations should assess and test whether it is objectively unreasonable or impracticable to collect that personal information directly from the individual. Where indirect collection is permitted, organisations must ensure that the third party’s collection or the organisation’s generation of that personal information is by lawful and fair means.

We are happy to discuss how best to address the obligations and to manage your privacy risks for indirect collections in practice and how Atmos can assist you with this.

To hear more or to organise a chat, get in touch:

info@atmosgroup.com.au

¹ 'AHM' and JFA (Aust) Pty Ltd t/a Court Data Australia [2024] AICmr 29