APP 3: Collection of Solicited Personal Information

Scope of APP 3 and the 'reasonably necessary' test

APP 3.1 applies to agencies, while APP 3.2 applies to organisations. Both limit collection to personal information that is reasonably necessary for, or directly related to, one or more of their functions or activities. This means entities should only collect personal information when it’s genuinely needed to carry out their work. Privacy Act 2026 SMB guide

The ‘reasonably necessary’ test is an objective one. The Office of the Australian Information Commissioner (OAIC) explains it as whether a reasonable person, properly informed about the purpose of the collection, would agree the collection is necessary. A crucial consideration is whether the entity could achieve its function or activity without collecting the information, or by collecting a smaller amount.

Entities are expected to adopt a data minimisation approach. This means limiting the collection of personal information to the minimum amount required to fulfil the intended purpose.

Higher bar for sensitive information

Collecting sensitive information carries a higher bar for compliance. APP 3.3 requires organisations to obtain an individual’s consent before collecting sensitive information, unless the information is reasonably necessary for the organisation’s functions or activities. Sensitive information, as defined in section 6(1) of the Privacy Act, includes categories such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record and Biometric information and FRT.

There are limited exceptions to this consent requirement. One exception exists under APP 3.4(a) where collection is mandated or authorised by an Australian law or a court or tribunal order. Other exceptions apply where a permitted general situation under section 16A exists, or for organisations a permitted health situation under section 16B.

Organisations must carefully consider whether the collection of sensitive information is reasonably necessary for their functions or activities, and ensure appropriate consent mechanisms are in place where required.

Section 16A permitted general situations

Section 16A outlines seven permitted general situations where an organisation may collect, use or disclose personal information despite restrictions imposed by APP 3 (Collection of Solicited Personal Information), APP 6 (Data Quality), APP 8 (Storage and Security) and APP 9 (Retention and Disposal). These situations provide flexibility for organisations to respond to specific circumstances where strict adherence to those principles may be impractical or impede a necessary action.

Two of these situations relate to safety and legal matters. Item 1 permits collection, use or disclosure where lessening or preventing a serious threat to the life, health or safety of an individual, or to public health or safety, is required, and obtaining consent is unreasonable or impracticable. Item 4 allows for use or disclosure reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.

Further permitted situations include taking appropriate action in relation to suspected unlawful activity or serious misconduct relating to the entity’s functions or activities (Item 2), locating a person reported as missing, subject to the Privacy (Persons Reported as Missing) Rule 2024 (Item 3), and use or disclosure reasonably necessary for a confidential alternative dispute resolution process (Item 5).

Means and source of collection (APP 3.5 and 3.6)

APP 3.5 mandates that personal information be gathered using lawful and fair methods. This principle ensures transparency and respect for individuals’ rights regarding their data. Organisations must consider the impact of their collection practices and ensure they are appropriate for the purpose.

APP 3.6 generally requires organisations to collect personal information directly from the individual concerned. However, this requirement is not absolute. Exceptions exist, including where the individual has provided consent for the information to be collected from another source, or where Australian law or a court/tribunal order authorises the collection. APP 5 notification at collection must be provided in these circumstances.

A further exception allows collection from a source other than the individual where it is unreasonable or impracticable to obtain the information directly. This recognises that in some circumstances, direct collection may not be feasible or appropriate.