Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Can I authorise someone to act on my behalf when dealing with a business?

Generally yes, the Privacy Act does not prevent businesses from dealing with someone you have authorised to act on your behalf.

However, different organisations may have slightly different procedures to ensure that they have your authorisation to deal with someone else on your behalf.

A risk in this process is that a person may try to get access to another individual's information. To deal with this risk organisations could have procedures to establish that the individual giving the authorisation is who they say they are. The way in which an organisation approaches this risk would depend on the organisation and the circumstances. Many organisations will have identity validation procedures already in place as part of their normal business practice. The identification procedures used may depend on how the individual approaches the organisation (i.e. whether in person or over the telephone) and should be robust enough to satisfy the organisation of the individual's identity.

Generally speaking, the Privacy Commissioner would expect that if a customer was to follow the security and identification procedures an organisation uses in its ordinary dealings, and give their consent, a third party may be able to act on that customer's behalf. There is no requirement in the Privacy Act that consent be given in writing in these circumstances, although some organisations may prefer this method for security reasons. There are, however, some specific requirements for written consent in relation to credit reports.

Many organisations today have telephone services whereby a customer's identity and consent for a variety of transactions can be verified over the telephone. Thus, in some cases it would be reasonable to expect organisations to accept verbal consent from a customer to allow a third party to act on their behalf, provided robust identification and security procedures have been followed to satisfy the organisation that the consent is valid and identity correct. Sometimes organisations may decide that the circumstances and risk mean that they will still need a written authorisation. The Privacy Commissioner anticipates a common sense approach by organisations to security procedures that takes account of extenuating circumstances.