APP 5: Notification at the Point of Collection

When notification must occur

APP 5.1 requires an organisation collecting personal information to notify the individual, or ensure they are aware, of the relevant matters. This notification must occur through reasonable steps taken before, or at the time of, collection.

If it is not practicable to notify at the point of collection, reasonable steps must be taken as soon as practicable after collection. This applies regardless of whether the information is collected directly from the individual or obtained from a third party. The organisation must also ensure the privacy policy, as per APP 1.3 privacy policy minimum content, is accessible.

APP 5 applies to all personal information, encompassing both solicited information collected under APP 3 and unsolicited information retained under APP 4.

Mandatory APP 5 matters

The Australian Privacy Principles (APPs) outline specific matters that must be notified to individuals at the point of collection. These mandatory notifications ensure transparency and allow individuals to make informed decisions about providing their personal information. The identity and contact details of the APP entity collecting the information must be provided.

Furthermore, notification is required in circumstances where personal information is obtained from a source other than the individual, or the individual is unaware of the collection. This includes informing the individual of any legal or court/tribunal order that requires or authorises the collection, along with details of that law or order. The purposes for which the information is being collected, and the consequences of not providing all or some of the information, must also be clearly communicated.

Finally, APP entities must also notify individuals of any other entities, bodies or persons – or types of them – to which the personal information is usually disclosed. This provides individuals with a clear understanding of how their information may be shared.

Cross-border, access and policy matters

When collecting personal information, the APP entity must inform the individual about certain matters relating to access, complaints, and overseas disclosure. This includes providing details about how the individual can access and correct their personal information, as outlined in the entity’s privacy policy APP 5.2(g). The entity must also advise the individual on how to make a complaint about a potential breach of the Australian Privacy Principles and how the entity will handle such complaints APP 5.2(h).

Individuals must also be notified if the entity intends to disclose their personal information to overseas recipients APP 5.2(i). Where it is practicable to do so, the entity must specify the countries where those overseas recipients are likely to be located APP 5.2(j).

Further information regarding disclosures to overseas recipients can be found at APP 8 overseas disclosure.

When notification may be reasonable to omit

The Office of the Australian Information Commissioner (OAIC) recognises that providing notification at the point of collection is not always required. There are limited circumstances where omitting notification may be reasonable. This includes situations where an individual is already familiar with the information that would typically be provided, such as through prior engagement or public knowledge. Privacy Act 2026 SMB guide

Notification can be reasonably omitted if providing it would compromise the intended purpose of collecting the personal information, or if it would risk the security or integrity of that information. Furthermore, an organisation may be justified in omitting notification if doing so would pose a significant threat to the safety or life of an individual.

Finally, an organisation may omit notification where it is legally mandated not to, due to conflicting legal obligations.