5. Collection & justification principles
Graham Greenleaf, revised 30 April 2003
[The previous Reading Guide is
RG 20. Key concepts in information privacy legislation - the existing
numbering scheme no longer works!!]
material added since the date of the class concerning this topic
This Reading Guide deals with two related sets of privacy principles: those
requiring the creation of information systems to be 'justified' in some way;
and those placing limitations on the collection of personal information for
inclusion in information systems.
The following resources are relevant to all aspects of the collection
principles. Specific references to parts of these resources are given in the
following sections, but you may prefer to read them in their entirety first.
- Private sector -
- Commonwealth public sector -
- NSW public sector -
- Victorian public sector -
remains largely undefined in privacy law. Privacy legislation does not usually
provide a definition, but merely uses the words 'collect' or 'collection'. Case
law has only dealt with the question indirectly.
At least the following methods of receiving information about a person require
separate consideration as to whether they are 'collection' for IPP purposes:
- Berthold & Wacks ('B&W') Chapter 5
first category, information solicited from another person, is clearly within
the meaning of 'collected', whether solicited from the data subject or a 3rd
party. (eg HK DPP 1(3) assumes there can be collection from 3rd parties).
- Information solicited from another person (data subject or 3rd parties);
- Unsolicited information (whether from data subject or 3rd parties);
- Information obtained from observations ('surveillance') of the data
- Information extracted from documentary or other sources.
The distinction between solicitation from the data subject and from 3rd parties
can be important in two areas:
( on AustLII)
- the consequences may differ depending on whether solicited from the data
subject or from a 3rd party (see later concerning requirements to give notice).
- Some laws require collection from the data subject where feasible (ie
solicitation from data subject)
Privacy and Personal Information Protection Act 1998 (NSW) - IPP 9
collection of personal information directly from the individual to whom the
information relates (s9)
DO applied for admission to a PhD programme at the University of New South
Wales (UNSW), which is an agency for the purposes of the Privacy and
Personal Information Protection Act 1998. In his application DO signed a
declaration stating in part that 'I authorise the University to obtain official
records from any tertiary institutions previously attended by me. If any
information supplied by me may be considered to be untrue or misleading in any
respect, I understand the University may take such action as it believes
necessary ... I understand that the University reserves the right to vary or
reverse and decision made on the basis of incorrect or incomplete
Under the heading 'Academic Qualifications' DO indicated he had obtained two
qualifications from 'the ANU' (Australian National University). DO was
admitted to the programme but his enrolment was subsequently terminated by UNSW
which stated 'you did not declare on your application for admission to the PhD
program your previously (sic) enrolments at the University of Adelaide (1997),
the University of Queensland (1998), Macquarie University (1999) and the
University of Tasmania (2000 and 2001).'
DO complained that UNSW breached the Act by obtaining personal information
about him from universities (other than ANU) without his consent. UNSW
conducted an internal review which concluded that it had not acted outside the
authority provided by DO in collecting information from the other universities.
Do sought a review of UNSW's conduct by the ADT under s55 of the Act.
Deputy President Hennessy dismissed the application. There was no breach of
information protection principle (IPP) 8 (s8) because UNSW had collected the
information from the other universities for the lawful purpose of considering
whether DO was an appropriate person to enrol in a PhD programme, and
information about his previous academic history was reasonably necessary for
IPP 9 (s9) requires that personal information must be collected 'directly from
the individual to whom the information relates unless' 'the individual has
authorised collection of the information from someone else'. Hennessy DP held
the declaration DO signed authorising UNSW to obtain information 'from any
tertiary institutions previously attended by me' was not qualified in any way
and did authorise the collection that took place.
Comment (G Greenleaf)
Although Hennessy DP's decision is not surprising, the case illustrates
the risk of breaching IPP 9 that NSW agencies face if they obtain personal
information from third parties without first obtaining authorisation from the
IPP 9 has a three-fold effect in that (i) it requires prior notice of intent to
collect from third parties to be given to the individual concerned; and (ii) it
prevents collection from the third party unless the individual authorises this.
In most cases this will mean in practice that (iii) the agency also collects
the information from the individual concerned, but it is significant that IPP 9
does not require this. It is also important that IPP 9 does not prevent the
agency from checking with a third party that the information provided by
individual is correct or complete.
In this case, UNSW did not appear (on the facts reported) to explicitly ask DO
to list all universities he had attended. However, it did obtain authorisation
to obtain personal information from all such institutions. If (as would be more
usual) UNSW had explicitly asked DO to list all universities he had attended,
UNSW would still have been entitled to check the information he provided with
those universities (provided this complied with IPP 8).
The Commonwealth Privacy Act 1988 imposes requirements on private
sector organisations concerning collection from third parties (it imposes no
such requirement on Commonwealth agencies). NPP 1.4 provides that 'If
it is reasonable and practicable to do so, an organisation must collect
personal information about an individual only from that individual'. It goes on
to say in NPP 1.5 that 'If an organisation collects personal information about
an individual from someone else, it must take reasonable steps to ensure that
the individual is or has been made aware of the matters listed in subclause 1.3
except to the extent that making the individual aware of the matters would pose
a serious threat to the life or health of any individual'. These obligations
are very different from those imposed on NSW agencies: there is no obligation
to obtain the individual's authorisation to collect from third parties (though
NPP 1/4 imposes an obligation of notice in general terms), but the information
must also be collected from the individual wherever reasonable and practicable,
and must not check with third parties if it is reasonable not to check.
While the NSW agency provisions and the Commonwealth private sector provisions
are rather different, in general the NSW provisions impose a higher level of
obligation. The Commonwealth agency provisions impose none.
When is unsolicited information 'collected' (if at all)?
In Australia's Federal law it is argued that unsolicited information, whether
from the data subject or from 3rd parties, can be 'collected':
The Australian Privacy
Commissioner took a similar view in his IPP 1-3 Guidelines.
(The NSW public sector law excludes unsolicited information from 'collection':
In HK, B&W p97 seem to accept that unsolicited information is collected,
but not 'until the data user takes active steps to incorporate them into the
official working material of the organisation'.
However, in NZ a majority of the Court of Appeal has held unsolicited
information is not 'collected':
In light of
Harder, a decision of the NZ Court of Appeal, the question of whether
unsolicited information is 'collected' must also be considered open in
Australia and HK.
The consequence of adopting the Harder approach is that any contact
with an organisation initiated by the data subject will result in any
information so provided not being regarded as 'collected'. However, it is still
personal information. Other IPPs may still apply, but those that depend on
information being 'collected' will not.
Drawing a line between solicited and unsolicited information is also very
Personal information is obtained and recorded in many situations from
observations of the data subject:
- A doctor observing a patient's symptoms and taking notes.
- A private investigator or police Officer taking notes about a person's
movements or actions
- A photographer or film crew or CCTV recording a person's movements
- A social worker observing the conditions in which a person lives, or how
that person treats his or her children or spouse
- Anyone recording their opinions about a person's truthfulness, sanity or
any other opinion.
If the obtaining of these types of observed personal information did not
constitute 'collection', then data protection laws would be drastically limited
in scope and would be largely useless.
Information obtained from observations ('surveillance') of the data subject is
'collected', but it is not 'solicited' from (in some Australian IPPs) or
'supplied' by (HK) the data subject. As a result, some notice requirements do
not apply in some laws (see later).
In Eastweek, a case of obtaining information by photographic
observation, the HK Court of Appeal majority found that there was not 'personal
data collection' but only because of the intent of the recipient of the
information. The case is better viewed as about 'personal data' not
'collection', and is therefore not significant on the question of whether
observations can constitute 'collection'.
Much personal information is extracted from documentary or other sources. If
information is not solicited from, or observed in relation to, any person, but
extracted from a book or a database, is it 'collected'?
In relation to Australian Federal legislation, Gunning argued extraction was
not collection, but this is not supportable:
- G Greenleaf
Can there be 'collection' from public documents or web cams? in ' Key
concepts undermining the NPPs - A second opinion' (2001) 8 Privacy Law &
Policy Reporter 1 - arguing that it is collection, but that Gunning's concerns
are addressed elsewhere, because no notice of collection is required when
personal information is extracted.
In Hong Kong, does DPP 1(3) assume there is collection from a person? If so,
extracted information is not collected. The better view, in keeping with the
privacy-protection purpose of the Ordinance, is that extraction is collection.
Absurd results are avoided because HK DPP 1(3) does not require notice since
there is no collection from the data subject. Use, disclosure etc DPPS will
apply, but data can be re-collected for other purposes.
It seems that the collection of personal information may be in any medium, such
as sound, photo or video, and not only text.
the purpose/intention of the recipient significant in determining if it is
'collection'? If Eastweek is interpreted as a case about the meaning of
'collection', not about the meaning of 'personal data', then its consequences
are less severe, as it will only affect the operation of IPPs dependent upon
collection. However, the better view is that it is a case about the meaning of
Personal data shall not be collected unless-
- In Harder v Proceedings Commissioner (see above), the collection
was by sound recording.
- In Eastweek (see above), the collection was by a photograph in a
- Concerning video, see Raymond Wacks
videos: Is the surveillance of domestic helpers lawful?' (2000) 7 PLPR 100;
Wacks considers that the covert filming of domestic employees is 'collection'
under the Hong Kong Ordinance; and that the exemption for 'household affairs'
does not apply to domestic employment. He does not consider whether covert
filming is 'fair' collection.
HKPCO Case No.: 200009383 'Surveillance on a domestic helper's workplace
activities' - Note there could be two reasons why this case is different from
web cams and CCTV: (i) 'document' and (ii) intention to identify.
Case No.: 200105935 'Whether the collection of genetic information is
(a) the data are collected for a lawful purpose directly related to a function
or activity of the data user who is to use the data
(b) subject to paragraph (c), the collection of the data is necessary for or
directly related to that purpose; and
(c) the data are adequate but not excessive in relation to that purpose.
A minimal objective negative standard.
- Private sector - Privacy Act 1988 Schedule 3
NPP 1 - Collection - NPP 1.1: 'necessary for one of more of its purposes'.
The purposes are not explicitly required to be lawful. The purposes of a
private sector organisation are not clearly defined, but it would be possible
to look at the articles of a company, or the business registration documents of
an unincorporated business.
- Commonwealth public sector - Privacy Act 1988 s14
1 - Manner and purpose of collection of personal information - IPP 1.1: 'a
lawful purpose directly related to a function or activity of the collector'.
Since a 'collector' must be an agency, the legislation under which the agency
functions could indicate what activities of the agency are intra vires.
The purpose must also be lawful.
- Statutory and common law lawful purpose
- Also, public bodies can act ultra vires; corporations can act outside
Articles of Association
- Lack of a lawful purpose means collection is itself a breach of IPP
B&W p98 state:
are the implications of these interpretations?
The key weakness of the collection principles is shown by the question : `how
do you define the `function or activity' of the collector ?' In the absence of
a `purpose justification principle', it is largely self-defined. Beyond the
negative requirement of a 'lawful purpose', positive tests of justifiable
purposes of collection can only be found in the EU and Canada.
There is a form of 'purpose justification' principle in the European privacy
Directive - see the discussion in G Greenleaf
and the Directive' in 'Stopping surveillance: Beyond 'efficiency' and the
OECD' (1996) 3 PLPR 148 - in summary A7 requires that, where legitimate
processing has to be justified by the interests of the data collector or a
third party, it must be 'necessary for the purposes of the legitimate interests
pursued by the controller or by the third party or parties to whom the data are
disclosed, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject ...'
Perhaps the first privacy legislation outside Europe to give some recognition
to such a principle is s5(3) of the new Canadian
Personal Information Protection and Electronic Documents Act 1999, which
requires '(3) An organization may collect, use or disclose personal information
only for purposes that a reasonable person would consider are appropriate in
- 'function and activity' must relate to 'actual functions and activities
being carried out by the data user or those specifically contemplated.'
- 'lawful' requires compliance with both common law and statute.
The limit on collection limits the purposes for which systems may be developed
to a form of public interest test. This has no counterpart in other
There is no purpose justification requirement in IPP1 or NPP 1. Like many other
legislative sets of information privacy principles the NPPs do not contain any
'purpose justification principle' (called 'prior justification' in the
Australian Privacy Charter). 'Purpose justification' essentially means
that there should be some test of public interest which is satisfied before a
personal information system is established at all. None of the existing privacy
principles requires system operators to have 'legitimate' purposes for
establishing a system, but instead they measure privacy protection against how
well it adheres to the original purpose for which the system operator declared
that it collected the information, which the Europeans call the 'finality' test.
How to determine purpose of collection?
- Specified purpose - eg HK DPP 1(3)(b)(I)(A) - notice of purpose of
collection required if solicited
- Inferred purpose - required if observed, extracted, or required notice not
See B&W p100
HK DPP1(1) (c) requires 'the data are adequate but not excessive in relation
to that purpose.' (and (b) requires it to be 'necessary'). The Australian
provisions use 'necessary' in relation to the private sector.
HKPCO Case No.: 200102210 'Whether a statutory body could collect data from
two organizations charged with providing rehabilitation programmes for the
purpose of programme evaluation'.
This requirement relates to the quantity and relevance of collection,
not the means (see below concerning fair collection.
principle is broader than collection, but will have its main effects felt in
relation to collection.
HKPCO Case No.: 200012028 - 'a tertiary education institution, in asking
for a job applicant's age and marital status..' - only says it requires
HKPCO Case No.: 200001037- 'Supervisors requiring sick staff to provide a
copy of the check-up cards for file record' - if health status is recorded on
cards, collection could be excessive
- [Enquiry case on retail services] - Warning notice given to retailer
collecting ID numbers as part of a gift redemption scheme
The only examples are in the Australian private sector and Victorian
legislation, NPP8 of which say 'NPP 8 Anonymity : 'Wherever it is lawful and
practicable, individuals must have the option of not identifying themselves
when entering transactions with an organisation.' '
Private sector - Privacy Act 1988 Schedule 3
8 Anonymity : 'Wherever it is lawful and practicable, individuals must
have the option of not identifying themselves when entering transactions with
- Federal Privacy Commissioner Draft National Privacy Principle
Guidelines (May 2001) -
Chapter 11 - Anonymity
NPP 8 Anonymity in 'Private sector privacy: Problems of interpretation'
 CyberLRes 3
- Victorian public sector - NPP 8 in the Victorian Act
NSW and Commonwealth public sectors - no separate anonymity principle
Is an anonymity principle implied by the minimal collection requirement in
normal collection IPPs? Or are these narrower? Does NPP8 require anonymity to
be `designed in'?
The requirement to give the data subject notice in the course of collection of
personal information is one of the most significant practical aspects of IPPs,
- the cost involved to the data collector
- the data subject is put on notice that he/she may need to protect his/her
Notification i s only required by DPP 1.3 'Where the person from whom personal
data are or are to be collected is the data subject ...'
There is therefore no requirement of notification where collection is from (i)
3rd parties or (ii) documentary sources.
What if collection is from observations / surveillance of the data subject?:
All IPPs require the collector of the information to advise the subject of the
information that personal information about him/her has been collected, and
other information, but the NPPs and the s14 IPPs expressed this requirement
The difference in the notice requirement is one of the most commercially
important aspects of the NPPs.
- Commonwealth public sector Privacy Act 1988 s14
IPP 2 - Solicitation of personal information from individual concerned
(but should be called 'Requirement of Notice') provides:
- IPP 2 only applies if 'the information is solicited from the individual
concerned'. Therefore, IPP2 does not apply to (i) unsolicited information; or
(ii) information collected from a third party; or (iii) information extracted
by the collector from a generally available publication or some other
- Private sector - Privacy Act 1988 Schedule 3
NPP 1 - Collection provides:
- NPP 1.3 only applies a notice requirement to information collected 'from
the individual'. The better view is that this includes unsolicited information
from the individual concerned (see discussion above re the meaning of
- NPP 1.5 applies a notice requirement where 'an organisation collects
personal information about an individual from someone else'. Notice is
therefore required if there if personal information is collected from a third
party 'person' . The better view is that this includes unsolicited information
from third parties (see discussion above re the meaning of collection).
- NPP 1.5 only applies if information is obtained from 'a person'. It is
therefore arguable that where information is extracted by the collector from a
book or some other 'generally available publication' it is not obtained from 'a
person', and therefore there is no requirement to give notice of collection.
However, there may be important grey areas where information is extracted by
the collector from a database (eg a credit reference computer system) or some
public register (eg at the Land Titles Office) where it could be said that the
information was collected from a person (a legal person).
is also no obligation to collect from the data subject where possible, and this
is one of the weaknesses of the Ordinance, when combined with the lack of a
NPP 1.4 requires collection from the individual where 'reasonable and
practicable'. The s14 IPPs have no such requirement.
1.3 has the following notice requirements:
IPP 4 had been breached in Casenote: Harder v Proceedings
Commissioner  3 NZLR 80 (NZ Court of Appeal) (2000) 7 PLPR 134
- See B&W pgs107-8 re UK example of when it is 'practicable' to give
See B&W p107 for the forms notice can take; no form is
The information that is communicated must include:
- explicit / implicit notice on or before collection of whether supply of
the data is obligatory and the consequences of failing to comply;
- explicit notice on or before collection of (a) the purpose for which the
data is to be used; and (b) the classes of persons to whom it may be
- explicit notice on or before first use, of access and correction rights
Failure to disclose the required information will be a
breach of the IPPs.
1(2) requires that 'Personal data shall be collected by means which are - (a)
lawful; and (b) fair in the circumstances of the case.' Intrusiveness is not
- 'The purpose(s) for which the information is collected: This is the
crucial step in limiting subsequent use and disclosure (determining
'finality'). Whatever purpose is communicated to the subject of the information
('the primary purpose of collection') will determine the legitimate subsequent
uses and disclosures of the information (subject to any specified exceptions).
- Details of any third parties to whom the collector 'usually' discloses
B&W p103 for illustrations of how this requirement focuses not on the
lawfulness of the purposes of collection, but on the means employed. As with
purposes, means can be unlawful because of a breach of criminal law or civil
law requirements (trespass, inducing breach of contract etc).
- Private sector - NPP 1.2: 'only by lawful and fair means and not in an
unreasonably intrusive way':
- This applies to all collection, including collection from third
- Commonwealth public sector - Privacy Act 1988 s14
IPP 3 - Solicitation of personal information generally - IPP 3(d): 'does
not intrude to an unreasonable extent upon the personal affairs of the indicial
- Only applies where the information is 'solicited', but it does not say
'from the individual concerned', so it applies to collection from third
- Commonwealth public sector - Privacy Act 1988 s14
1 - Manner and purpose of collection of personal information - IPP 1.2:
'shall not be collected ... by unlawful or unfair means'.
- Applies to any form of collection.
But query B&W's comments concerning where information is provided in breach
of confidence. Is there an alternative view?
Covert forms of data collection might not be illegal, but they may still be a
breach because they are unfair.
The NZ Court of Appeal takes a much more restrictive
view than the HK Privacy Commissioner.
HKPCO Case No.: 200009383 - 'Surveillance on a domestic helper's workplace
HKPCO Case No.: 200112506 - 'recording by a debt collection agency of
conversations with debtors'
HKPCO Case No.: 199804574 - 'recording of telephone conversations between
customers and staff '
Whether IPP 4 had been breached in Casenote: Harder v Proceedings
Commissioner  3 NZLR 80 (NZ Court of Appeal) (2000) 7 PLPR 134 - When
can covert tape recording of a conversation be 'fair'? The Court stresses that
the purpose of the fairness requirement 'is to prevent people from being
induced by unfair means into supplying information which they would otherwise
not have supplied'.
The Australian Privacy Commissioner has issued Guidelines on covert surveillance.
These IPPs mainly affect collection of information, but may also affect some
other IPPs (eg the precautions necessary to satisfy the security principle).
Rehabilitation of Offenders Ordinance (Cap. 297) may prevent some
collection of information.
and State legislation dealing with old convictions prohibits the collection of
some information about old convictions.
and State computer crime laws sometimes provide a higher level of penalties for
unauthorised access to, or destruction of, various defined categories of
No.: 199803996 Whether an employer can ascertain from the Police matters
relating to prosecution of an employee.
- State 'listening devices' and other surveillance laws could make certain
types of collection unlawful or subject to conditions. See also the later
Reading Guides concerning (i) telecommunications and (ii)
* The Telecommunications (Interception) Act 1979
(Cth) makes certain forms of collection illegal and also subject to civil
remedies. See also the later Reading Guide concerning telecommunications.
of the cases under A8 of the ECHR concern unfair or excessive collection of
personal information. By analogy, A17 of the ICCPR may be relevant to (i)
resolving ambiguities in collection principles; and (ii) as a source of
individual complaints about collection practices under the First Optional
Whether the Australian IPPs meet the European standards of the EU Directive
needs to be assessed in relation to both specific principles and specific
- Collection for purposes unrelated to its functions could be ultra
vires the powers of a public sector body.
- N Waters 'Adequacy of Australian privacy laws in relation to the European
Union Directive'  CyberLRes 1, concerning the collection principles
applying to the following sectors: