A recent decision from the Australian Information Commissioner and Privacy Commissioner (Privacy Commissioner) provided a timely reminder to organisations about obligations when collecting personal information from someone other than the individual in question.
‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2019]
TICA Default Tenancy Control Pty Ltd (Tenancy Control) maintains various databases to assist the real estate industry, including for the purpose of vetting rental applicants. The database in question, the Public Record Database (PRD) is compiled from publicly available sources such as daily court listings.
The Complainant had no direct dealings with Tenancy Control but was involved in a dispute with NSW Housing listed in the NSW Civil and Administrative Tribunal (NCAT). An unaltered record of this listing, including the Complainant’s name, was downloaded by Tenancy Control from NCAT and incorporated into the PRD.
Subsequently, the Complainant became aware of the PRD record of the NCAT proceeding when she was unable to obtain a rental property and lodged a privacy complaint.
While many of the grounds of the complaint were not upheld, the Privacy Commissioner did decide that the Complainant’s privacy had been interfered with because Tenancy Control:
- collected personal information about the Complainant from a third party; and
- did not take reasonable steps to notify the Complainant about the collection and the other matters required by the Privacy Act (see summary below).
Tenancy Control argued that it did not have any contact details of the Complainant and so was unable to take any reasonable steps to provide notice of the collection. But the Privacy Commissioner’s position was that even in this situation Tenancy Control was required to take some reasonable steps, for example even making a notice available to tenants on its website about its collection of such information.
As Tenancy Controlled failed to take any steps at all, reasonable or otherwise, to notify the Complaint, the Commissioner ordered Tenancy Control to issue a written apology to the Complainant and pay $1,500 in damages.
What this means for your organisation
If the Privacy Act applies to your organisation, when you collect personal information about an individual, either from that individual or from someone else, you must take reasonable steps to notify the individual of the matters set out in Australian Privacy Principle 5.2, which includes:
- your organisation’s identity and contact details;
- that the collection occurred and how it occurred;
- whether the collection is required or authorised by law;
- the purposes of collection;
- the consequences to the individual if personal information is not collected;
- how your organisation usually discloses information collected;
- information about your organisation’s Privacy Policy and how to access it; and
- whether your organisation is likely to disclose the information overseas, and if practicable, the countries where it will be disclosed.
The notification needs to be provided before or at the time of collection if this can be reasonably done, otherwise as soon as practicable afterwards.
As demonstrated by the Tenancy Control case, even where notification of collection is difficult, or direct notification is not possible, you are still required to take some form of reasonable steps to comply.
This latest case is particularly applicable to organisations that routinely source information about individuals from publicly available services, and may not have considered the privacy implications of such a practice. But all organisations that collect personal information need to be aware of notification requirements under the Privacy Act.
If you have any concerns about these issues we can assist by providing a privacy audit, reviewing and updating your privacy policy, or preparing complaint collection notices. Contact us here.