APP 3 collection of sensitive information
APP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
Who must comply
All APP entities collecting sensitive information.
What triggers it
Collecting sensitive information.
When due
At each collection event.
Evidence required
Consent records; necessity assessment; collection notice.
Max penalty
Same penalty regime; class action exposure for biometric misuse (Clearview AI, 7-Eleven, Bunnings precedents)
Summary
APP 3 restricts collection of sensitive information (health, religious beliefs, racial/ethnic origin, political opinions, criminal record, biometric data + similar) to circumstances where the individual consents + collection is reasonably necessary, or specified exceptions apply.
Enforced by
Source legislation
Topics
Related obligations
- CWLTHPublish a Privacy Policy compliant with APP 1Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- CWLTHProvide an APP 5 collection notice at or before collectionAPP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
- CWLTHAPP 8 cross-border disclosureBefore disclosing personal information overseas, APP 8 requires reasonable steps so the recipient meets the APPs — unless an exception applies. Steps and exceptions.
- CWLTHAPP 12 & APP 13 access and correction requestsIndividuals can ask to access (APP 12) and correct (APP 13) the personal information you hold — the strict response times, allowable refusals and how to comply.
- CWLTHAPP 7 direct marketingAPP 7 restricts using or disclosing personal information for direct marketing and requires a simple opt-out — when it applies, the exceptions and penalties.
- CWLTHAPP 2 — anonymity + pseudonymity for individualsWhere reasonable, individuals must be able to deal with you anonymously or under a pseudonym.
Frequently asked questions
- Who must comply with APP 3 collection of sensitive information?
- All APP entities collecting sensitive information.
- What triggers APP 3 collection of sensitive information?
- Collecting sensitive information.
- When is APP 3 collection of sensitive information due?
- At each collection event.
- What is the maximum penalty for APP 3 collection of sensitive information?
- Same penalty regime; class action exposure for biometric misuse (Clearview AI, 7-Eleven, Bunnings precedents)
- What evidence is required for APP 3 collection of sensitive information?
- Consent records; necessity assessment; collection notice.
Source: https://oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-3-app-3-collection-of-solicited-personal-information. Rules Mate is not a law firm. Always verify against the live regulator source before acting.