How specific does my purpose for collection need to be?
When you collect personal information, you should only collect the information which you need in order to carry out lawful functions connected with your organisation. You should also only collect identifying information about people (name, address, driver's license or passport details) necessary for carrying out a lawful purpose. This is principle one of the Privacy Act.
In order to make sure you only collect the information you need, you should have a clear idea of what you what you want to do with the information. In other words, you need to know what your purpose is for collecting personal information before you collect it, as opposed to gathering a large amount of personal information on the off-chance you might need it.
It’s important to know what your purposes for collection are because this is something you will need to tell people about when you collect information from them. It’s also important because if you’ve told someone that your reason for collecting personal information is to use or disclose it in a certain way, you’re then entitled to go ahead and use or disclose that information in that way.
It can sometimes be difficult to know exactly how precise you need to be when deciding what your purposes for collecting the personal information are. You don’t want to make your purpose so narrow that it means you can’t use the personal information you’ve obtained, but, at the same time, you don’t want to make your purpose so broad as to be meaningless. For example, saying you’re going to collect information for ‘business purposes’ doesn’t really explain how you intend to use it at all.
If you are considering introducing a new policy in terms of the information you’re collecting, or changing the personal information you currently collect, you may want to consider doing a privacy impact assessment to help you identify what your purposes are for collecting personal information, and exactly what information you need to fulfil these purposes.
You might also want to try our Priv-o-matic privacy statement generator. It is designed to help you generate a ‘principle 3’ statement. These are minimal compliance statements that you need to show people when you collect their personal information.