Australia

A business is collecting my personal information without explaining why. Is this allowed?

13 APPs
Privacy Principles
APP 5
Notification rule
30 days
OAIC complaint window
AU$2.3M
Max penalty
The Short Answer

No, it is not allowed. Australian law requires businesses to clearly explain why they collect your personal information before or at the time of collection.

What the Law Says

Australia’s privacy framework is built around the Australian Privacy Principles (APPs), which apply to most businesses with an annual turnover of $3 million or more — and some smaller ones too. The key rule about collecting personal information without explanation is found in APP 5.

APP 5 — 'Notification of the collection of personal information' — says that if an organisation collects personal information about you, it must take reasonable steps to notify you (or ensure you are aware) of several things, including why the information is being collected, who it may be shared with, and how you can access or correct it.

This notification must happen 'at or before the time' the information is collected — not later, and not only if you ask. If the business fails to do this, it breaches the Privacy Act.

There are limited exceptions — for example, if telling you would pose a serious threat to someone’s life or health, or if it’s required or authorised by law — but these are narrow and rarely apply to routine business collection.

Statutory Text

An organisation must take such steps (if any) as are reasonable in the circumstances to notify the individual of certain matters, including the fact that the organisation has collected personal information about the individual, the purpose for which the information was collected, and the organisations or types of organisations to which the organisation usually discloses information of that kind.

Privacy Act 1988 (Cth), s. 13.5 — Australian Privacy Principle 5

What to Do

1

Check the business’s privacy policy — it must be easy to find and clearly state why they collect your information.

2

Contact the business directly and ask for written confirmation of the purpose and legal basis for collection.

3

If unsatisfied, make a formal complaint to the Office of the Australian Information Commissioner (OAIC) within 30 days of the issue arising.

4

You can also request access to or correction of your personal information under APP 12 or APP 13.

Sources

statutePrivacy Act 1988 (Cth), s. 13.5 — Australian Privacy Principle 5guidelineOAIC: Australian Privacy Principles guidelines

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.