How can I find out what information a company has collected about me?

In Plain English

Generally, you have the right to know what personal information a company or organization ("APP entity") holds about you. The Privacy Act 1988 includes Australian Privacy Principles (APPs) that govern how these entities handle your information.

Specifically, APP 5 says that when an APP entity collects personal information about you, they need to take reasonable steps to let you know certain things. This includes telling you:

  • Their identity and contact details.
  • If they collected the information from someone other than you, or if you might not realize they have your information.
  • If an Australian law or court order requires them to collect the information.
  • Why they are collecting the information.
  • What happens if you don't provide all or some of the information.
  • Who else they usually share this type of information with.
  • That their privacy policy explains how you can access and correct your information.
  • That their privacy policy explains how you can complain about privacy breaches and how they'll handle your complaint.
  • If they're likely to send your information overseas.
  • If so, which countries those recipients are likely to be in (if it's practical to specify).

In addition, the APP privacy policy of the APP entity should contain information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information. It should also contain information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint

Detailed Explanation

Australian Privacy Principle (APP) 5 of the Privacy Act 1988 outlines the requirements for notification of the collection of personal information. Specifically, subclause 5.1 states that at or before the time, or as soon as practicable after, an APP entity collects personal information about an individual, the entity must take reasonable steps to notify the individual of certain matters or otherwise ensure the individual is aware of them.

Subclause 5.2 details the matters that must be notified, including:

  • The identity and contact details of the APP entity (5.2(a)).
  • If the APP entity collects the personal information from someone other than the individual, or the individual may not be aware that the APP entity has collected the personal information, the fact that the entity so collects, or has collected, the information and the circumstances of that collection (5.2(b)).
  • If the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order, the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/tribunal order, that requires or authorises the collection) (5.2(c)).
  • The purposes for which the APP entity collects the personal information (5.2(d)).
  • The main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity (5.2(e)).
  • Any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity (5.2(f)).
  • That the APP privacy policy of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information (5.2(g)).
  • That the APP privacy policy of the APP entity contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint (5.2(h)).
  • Whether the APP entity is likely to disclose the personal information to overseas recipients (5.2(i)).
  • If the APP entity is likely to disclose the personal information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them (5.2(j)).

Therefore, to find out what information a company has collected about you, you can start by reviewing any notifications they provided at the time of collection, and by examining their APP privacy policy.