The business can do this, even if it is subject to the NPPs. But there are some restrictions:

• The business cannot use unfair means to collect the information. So it cannot trick the person into giving the information or spy on them. See NPP 1.2.
• The business can use the information for building relationships with the clients but if it wants to use the information for some other purpose, it can do so only if the other purpose if the clients would reasonably expect that to happen (see NPP 2.1(a)) or if the clients have consented (see NPP 2.1(b)).
• If the business is collecting sensitive information (racial origin, political opinions, religion, philosophical beliefs, sexual preferences, criminal record, or health information) it will need to have the consent of the individual. See NPP 10. Sometimes it may not be obvious whether the other party has consented to all the uses of personal information that the business has in mind. The Privacy Act only states that consent can be either 'express' or 'implied'. The Guidelines to the NPPs give Tips for Compliance and other commentary in the Guidelines on NPP 2.1(b) and (c).

For more information about the coverage of the NPPs, click here Information Sheet 12

For more information about all the NPPs, see: http://www.privacy.gov.au/materials/types/brochures/view/6051 or http://www.privacy.gov.au/materials/types/guidelines#3.2.