Legal Grounds for Data Processing

Organisations must manage personal information in an open and transparent way and collect personal information only by lawful and fair means.

An organisation can collect personal information (excluding sensitive information) only when it is reasonably necessary for one or more of the entity’s functions or activities.

An organisation can only collect personal information directly from the individual unless is unreasonable or impracticable to do so.

Australian Privacy Principle 7 of the Privacy Act deals with direct marketing. It provides that an organisation may use or disclose the personal information it holds about an individual for the purpose of direct marketing (other than sensitive information) when the following conditions are met: the personal information is collected directly from the individual; the individual would reasonably expect the organisation to use it or disclose it for the purpose of direct marketing; the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and the individual has not made such a request to the organisation.

  • In case the organisation collected the information from the individual and the individual would not reasonably expect the organisation to use or disclose the information for the purpose of direct marketing, or if the organisation collected the information from someone other than the individual, that organisation is allowed to use or disclose personal information (other than sensitive information) about an individual for that purpose if:
  • the individual has not made a request to the organisation not to receive direct marketing communications; and
  • either the individual has consented to the use or disclosure of the information for that purpose, or it is impracticable to obtain that consent.

The organisation needs to provide a simple means by which the individual may easily request not to receive direct marketing communications from the organisation. Likewise, in each direct marketing communication with the individual, the organisation must either include a prominent statement that the individual may make such request or draw the individual’s attention to the fact that the latter may make such a request.   

  • An organisation can use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.
  • An organisation can use or disclose personal information for the purpose of direct marketing if the organisation is a contracted service provider for a Commonwealth contract, which collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract, and the use or disclosure is necessary to meet (directly or indirectly) such an obligation.

A credit reporting body cannot use or disclose information about an individual for the purposes of direct marketing (there are some legal exceptions). When a credit reporting body that holds credit information about an individual is encompassed within the exceptions to the prohibition of direct marketing, the individual concerned can request it not to use that information.

A credit reporting body that makes a pre-screening assessment in relation to direct marketing by, or on behalf of, a credit provider, cannot use or disclose such assessment.