The Office of the Australian Information Commissioner (OAIC) has released an overhauled set of guidance on the collection of personal information under the Privacy Act 1988 (Cth) (Privacy Act). While the new guidance does not change the law, it consolidates and formalises the OAIC’s views on many cutting-edge issues around collection – including on the generation of information via artificial intelligence, the operation of facial recognition technology, and modern online advertising and tracking technologies.
In many respects the details will be familiar to close readers of the key privacy determinations and investigations in recent years. Most importantly, the new guidance:
- reinforces the focus on data minimisation and fairness, as has also been reflected in recent determinations – putting organisations on notice that the OAIC is looking at the proportionality and contextual fairness of systems and technologies being used
- emphasises that creating or generating personal information, including through generative AI, analytics, cookies, pixels, and internet-of-things devices, is a form of collection
- reiterates that personal information publicly available on the internet still needs to be collected in accordance with APP 3 or APP 4 and
- expressly states that momentary collection, even for milliseconds, is subject to the Privacy Act, including where an entity is acting only as a router or hub (reflecting the recent confirmation of this point by the Administrative Review Tribunal).
The positions put forward on these issues may change in future, and the guidance itself recognises that some key findings remain subject to review. However, this is nonetheless a significant update capturing the key lessons the OAIC wants digital economy businesses to take away from its recent enforcement activities.
What are the key issues raised in the new guidance?
The updates take the form of a re-written Chapter 3 of the ‘APP Guidelines’, the widely used reference guide published by the OAIC on its interpretation of the Australian Privacy Principles (APPs). Importantly, the guidelines are not themselves legally binding and will not influence how a court interprets the APPs. However, they are still important indicators as to how the OAIC intends to interpret and apply the law.
APP 3 relates to the collection of ‘solicited personal information’, and this guidance is about the requirements on entities that take active steps to collect personal information. The existing guidance already included examples relevant to traditional methods of information collection, such as forms, call centres, and customer sign-up flows. However, the updates now go beyond this to cover considerations relevant to digital businesses with special attention paid to issues around AI, content scraping, tracking pixels, biometric systems, data brokers, and the ‘choice architecture’ of online services.
At their core, the updates reflect a range of recent findings (including the Commissioner’s own determinations, reviews in the Administrative Review Tribunal, and court precedents) applying the Privacy Act in new technological contexts and address issues that are unique to or exacerbated by new technologies, such as:
- the wide availably of personal information publicly on the internet
- the often very fast processing and deletion of information, including the use of third party service providers for routing or processing and
- the automated collection of information through marketing technologies such as cookies, pixels, and other online profiling and tracking technologies.
What are the details of the changes?
| Topic | What the APP 3 guidance says now | Why it matters |
| Collection from public sources | The guidance on the meaning of ‘collect’ now expressly includes that it applies to gathering, acquiring, or obtaining personal information from ‘publicly available sources on the internet’. The Key Points at the start of the chapter also state that publicly available personal information ‘does not allow it to be collected and used in whatever way the APP entity chooses without regard to the knowledge and reasonable expectations of the person whose information it concerns’ and that it must still be collected in accordance with APP 3 or APP 4. | Other forms of data protection – most notably confidentiality – may be fatally undermined if information is placed in the public domain.
However, the same does not apply in the privacy realm – privacy restrictions may still apply even if information has been shared in a public forum. Accordingly, organisations cannot assume that privacy compliance concerns can be ignored simply because they are obtaining information from a public source. |
| New examples of collection: AI, analytics, and inferred data | New examples of collection to which APP 3 applies now expressly include:
|
None of these new examples are particularly surprising, and many organisations would already consider these to be obvious. However, one important flow-on effect is that organisations using one of these methods of collection will need to be sure to say so in their privacy policies (which must include information about the kinds of personal information that an entity collects, as well as how it collects personal information). We expect that this is an area that the OAIC may scrutinise in future, to ensure that organisations are being appropriately transparent around the ways in which they may collect information. |
| Momentary processing | The guidance now states that an entity collects personal information ‘even if it only holds the information momentarily (e.g. for milliseconds)’. The examples add information collected and held momentarily before being destroyed or disclosed, including facial recognition systems and digital identity exchanges. | This is now relatively clear, following recent decisions by the Administrative Review Tribunal on this issue. Where personal information is collected for inclusion in a record (or a generally available publication), it is collected for the purposes of the Privacy Act even if that record is destroyed after a very short time as part of an almost instantaneous technical process. |
| Emphasis on data minimisation and proportionality | There are significant new additions to the sections on the scope of information that may be collected, including the requirement to only collect information that is ‘reasonably necessary’ for an organisation’s ‘functions or activities’ The guidance now states that:
|
Along with recent enforcement activity (and in particular the determination in Commissioner Initiated Investigation into IRE Pty Ltd (Privacy) [2026] AICmr 24 (‘IRE’), which is cited several times in the new guidance), it is clear the OAIC has a renewed focus on data minimisation. The relevant standard can no longer be interpreted as a broad or loose requirement to establish that the information has some level of business utility. Rather, the specific use and proportionality of what is being collected for that use must be considered. |
| AI training | One specific new example of collection that may not be reasonably necessary has been added: ‘collecting personal information to train an AI model, when this training could be achieved with de-identified information or with a lesser amount of personal information’. | When setting up a new AI system, some thought will need to be given to what information is used for further training and refinement of the AI system, and AI governance structures should be able to explain why personal information is needed at all, and why a smaller or de-identified dataset would not be sufficient. AI developers should also refer to the OAIC’s specific guidance on this topic (available here). That guidance suggests that developers can achieve data minimisation by:
|
| Sensitive information and consent | The guidance on consent now spells out the (by now familiar) four elements of valid consent recommended by the OAIC: that the individual is adequately informed, gives consent voluntarily, the consent is current and specific, and the individual has adequate capacity. It also cautions that a privacy policy or APP 5 collection notice will ‘generally’ not itself amount to consent, and that entities should take ‘particular caution when using automated collection methods’ that may inadvertently be configured to collect sensitive information. | Issues around consent must be carefully considered whenever sensitive information is involved, particularly where automated methods such as scraping or tracking pixels are used or when collecting information through a third party. In relation to the latter, it is also important to bear in mind the general position that personal information should be collected directly from the individual concerned (rather than via a third party) unless it is impracticable to do so. Amongst other things, that will provide an opportunity to obtain or confirm consent if necessary.
|
| Collecting personal information where a ‘permitted general situation’ exists | The guidance has been updated to reflect the decision in Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130, (as well as the Kmart determination, which the OAIC guidelines refer to as pending ART review) which provides the most recent detailed consideration of these issues. In particular, that decision reflects the view that the relevant factors are:
|
These provisions have particular importance as they provide not only broad exemptions to the APP 3 collection requirements, but also exemptions to other restrictions on subsequent use and disclosure. The detail of the underlying determinations cited in this section of the guidance should be considered if relying on these exemptions. The closer that a use case aligns to a previously considered scenario, the safer it will be. Novel use cases will need to be carefully considered, and a detailed privacy impact assessment should be prepared to maximise the chances of fitting within the scope of the relevant permitted general situation. |
| Fair means | The previous, very brief, section on collecting by ‘fair’ means has been replaced with the OAIC’s view of a broader contextual framework. The OAIC suggests that relevant factors to consider include whether the individual is aware of collection, whether the collection matches reasonable expectations, whether online choice architecture distorts choice, and whether there are genuine alternatives, vulnerability, and likely harm. | Consistent with the recent determination in IRE, deception or misinformation is relevant, but not necessary, for collection to be seen as unfair in particular circumstances. Further, notice of the collection is relevant, but not conclusive. Instead, the details on each of the factors identified must be considered.
In advance of the much-discussed overarching ‘fair and reasonable’ requirement for handling personal information (which was proposed, and has been accepted-in-principle by the Government, as part of the Privacy Act Review process), this guidance clearly demonstrates the ways the OAIC is approaching ‘fairness’ under the Privacy Act, and – pending further guidance from the ART – is informative for how such an overarching right might be applied in practice. |
| Simultaneous collection | A point that may be easy to overlook, the guidance now also provides that multiple entities may collect the same personal information (just as multiple entities may ‘hold’ the same personal information because one has possession and another has control). | This is a potentially contentious point in the guidance, as simultaneous collection is not as clearly supported by a literal reading of the Privacy Act compared to whether multiple entities can simultaneously ‘hold’ information. The flow-on effects of how this applies to complex chains of entities, especially in the absence of a distinction in Australia between ‘controllers’ and ‘processors’, may require further consideration in time. |
What to do next
The new guidance should not radically change existing compliance postures, particularly for those organisations that have been following the recent enforcement activities of the OAIC.
However, the recent changes serve as a useful prompt for organisations to conduct a ‘health check’ on their current information collection processes, privacy impact assessment frameworks, and supporting documentation, including privacy policies, to ensure that there is full alignment and collection practices are being accurately and transparently presented.
A privacy policy review will no doubt be on the agenda for many organisations in any case, given the new automated decision-making disclosure obligations coming into effect in December. The OAIC has indicated that further guidance on those obligations will be published in the coming months.
