Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Can a business take information from public sources and use it to approach potential customers?

Generally, yes. But if the business is covered by the National Privacy Principles (NPPs) in the Privacy Act, there are some things it will need to do. For more information about the coverage of the NPPs, click here Information Sheet 12

Example: A bridal boutique take names from engagement notices, matches them with information from the phone book, and uses the combined information to approach potential customers.

The boutique can do this. But if the boutique is covered by the NPPs, it will have some obligations.

It must tell the potential customers: its name and how to contact it (which it will want to do in any case), why it has collected the information, to whom (if anyone) it usually discloses the information, and how the customer can get access to the information. This could usually be done at the first approach to the potential customer. See NPP 1.5.
It must only use the information for the purpose of approaching the potential customer (the 'primary purpose of collection') or for a related purpose that the potential customer would expect (a 'secondary purpose'). For example, it should not give or sell the information to another business the potential customer has never heard of.See NPP 2.1(a).
It must do what it reasonably can to make sure that the information is correct. So if it finds out that some of the information it collected from the engagement notices is wrong, it must delete or correct that information. See NPP 3.
It must keep the information reasonably secure. See NPP 4.
It must have a privacy policy. Assuming that the boutique is not doing anything unusual with the personal information it collects, this would only need to be a short statement about what personal information the outique collects, where it gets it from and how it uses it. See NPP 5.
It must give the potential customer access to the information on request and correct any errors the customer points out. See NPP 6.
Usually these will be the boutique's only obligations under the NPPs.

For more information about all the NPPs, see: http://www.privacy.gov.au/materials/types/brochures/view/6051 or http://www.privacy.gov.au/materials/types/guidelines#3.2.

Example: A removals company uses information in house sale ads to target potential customers. Yes, it can do this. But it will have the same obligations as the bridal boutique.