Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Privacy for agencies

Print | Email this page

Collecting personal information

Two women sit at a desk speaking. One is an older woman with a blonde bob hairstyle. The other is an Asian woman in a white top. When agencies (businesses or organisations)   ask people for their personal information you’re ‘collecting’ it. You need to tell  people why you need their information and how you’ll use it. Then you can  use  their information for the reason you said you would when you collected it. 

You might need to consider other languages or accessibility needs for people to best understand why you are collecting their personal information. 

Know why you’re collecting information

The Privacy Act says you can only collect personal information that’s necessary for a lawful purpose. That means only asking for personal information that you need to run your agency. 

Being clear about the reason you need personal information will help you make good decisions about only collecting what you need. That approach helps reduce your risk too because the less personal information you hold, the easier it is to keep up to date, and the consequences of a mistake (data breach) will be easier to control.  

Read more about the purposes for collecting information in principle one.

Dealing with change 

Businesses who want to make changes to their terms and conditions or privacy policies can do so consistently with the Privacy Act by considering:

  • what individuals have been told about how their information will be used (and the substance and clarity of those communications)
  • whether the new use is consistent or directly related to what individuals have been told or whether a new authority to use the information is needed    
  • providing individuals with options they need to maintain trust in their business, for example can the business ringfence information collected before the change occurred.

Try and collect information directly from the person

You should try to collect information from the person it’s about so they know that you’ve got it and what you’re using it for. However, sometimes you need to ask for information from other sources. For example, asking a parent for information about their child, checking a reference for a job, or doing a credit check. 
It is legal to collect information this way when:  

  • You have the consent of the person the information is about, or
  • Getting the information from the person concerned would undermine the purpose of the collection, or  
  • You’re a public sector body and that information is necessary to uphold or enforce the law, or
  • The information is publicly available.

Read more about the source of personal information in principle two.

2026 brings new rules about collecting indirectly 

From 1 May 2026, the new privacy principle of IPP3A will change an agency’s obligations when it collects personal information indirectly. Collecting personal information indirectly means that the agency collects the personal information from someone other than the person themself.

Under IPP3A, if an agency collects someone's personal information indirectly, that agency is required to notify them, unless one of the listed exceptions applies.

The IPP3A requirements will only apply to personal information collected from 1 May 2026. 

Read more about what IPP3A means and how you can comply with it.

Tell people what you’re doing with a privacy statement

Sometimes it’s obvious to people that you’re collecting their information. Other times, it might not be. However, it’s good to be open so people aren’t taken by surprise.
A privacy statement is a good way to tell people what you’re doing with their personal information, and why. 

Your privacy statement should include:

  • that you’re collecting their information
  • why you’re collecting their information
  • whether you’re collecting their information under a particular law
  • who will be able to access the information
  • whether they can choose not to give you the information
  • what will happen if they don't give you the information
  • that they can ask to access and correct their personal information
  • how to contact you, or any organisation that is holding their information for you.

Our privacy statement generator can help you develop a statement. It’s good to have your privacy statement easy to find and easy to read. For example, if you’re collecting information through an online form, you can include a link to the privacy statement at the point of collection to make it easy for people to access.

Make sure you add the contact details for your privacy officer in there too so people can ask if they’ve got questions. 

Read more about what you need to tell people in principle three.

Be fair and reasonable when you’re collecting information 

Make sure you’re collect personal information in a way that is lawful, fair, and not unreasonably intrusive.

Read more about manner of collection in principle four.

Back to top