Updated Guidance on APP 3 (Collection): What organisations and agencies need to know

Introduction

In May 2025, the Office of the Australian Information Commissioner (OAIC) released updated guidance on Australian Privacy Principle (APP) 3, the principle governing the collection of personal information. The updated Guidance will help entities better understand when and how personal information can be collected, with updated references to contemporary technologies and issues including AI, facial recognition, data scraping, tracking pixels, and data broking and a sharper focus on data minimisation.  It even includes a flow chart to follow to help with APP 3 decision making.

This post walks through the new features of the OAIC’s guidance on collection, why it matters, and what practical steps Australian organisations and agencies covered by the Privacy Act 1988 (Cth) should take in response.

Background: What Does APP 3 Cover?

APP 3 sets out when and how an APP entity (including government agencies and private sector organisations) may collect personal information. It is one of the original privacy principles with its antecedents in the 1980 OECD Privacy Guidelines, and it has not much changed since then!

APP 3 applies where personal information is “solicited”, which means the entity has taken active steps to collect the information, such as asking an individual to fill in a form, deploying tracking technologies on a website, or purchasing data from a data broker. Where information arrives without any active step by the entity, APP 4 (dealing with unsolicited information) applies instead.

At its core, APP 3 asks two questions: can you collect this information, and how must you collect it?

The test for whether personal information can be collected differs slightly, depending on whether the entity is a Commonwealth government agency, or a private sector organisation:

• For agencies, collection is permitted where the information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities.
• For organisations, the test is slightly narrower: the information must be reasonably necessary for one or more of the organisation’s functions or activities.

APP 3 puts in place more stringent  requirements where the information is “sensitive information”,  a defined category that includes information about an individual’s health, biometrics, racial or ethnic origin, religious beliefs, sexual orientation or criminal record, among other categories.  For sensitive information, consent is required unless a specific exception applies.

Regardless of entity type, all personal information must be collected by lawful and fair means, and must be collected directly from the individual unless an exception applies.

Over time, several issues have arisen around the potential application of APP 3 to emerging technologies and business models. These issues were highlighted most recently in the Bunnings determination and Administrative Review Tribunal decision, where one of the issues for decision was whether the very transitory use of personal information in facial recognition systems was a collection.  This is just one of the many examples of thorny issues that digital technologies raise in the area of “collection.

What’s New in the Updated Guidance?

Collection Limitation and Data Minimisation

One of the most significant changes in the updated guidance is the emphasis placed on the principle of data minimisation. Entities must limit collection to the minimum amount of personal information required in the circumstances. Over-collection, that is gathering more data than needed or gathering it “just in case”, may not only breach APP 3 but can also increase security risks and the potential harm caused by a data breach.

The guidance cites a recent determination (Commissioner Initiated Investigation into IRE Pty Ltd [2026] AICmr 24), which found that a rental technology platform collected personal information that was not reasonably necessary for its functions, including gender, citizenship status, visa expiry, details of dependants, and bankruptcy status from all rental applicants. This is a useful reminder that collecting information simply because it is included as a collection field within a form by default is not a justification. Each data point collected must serve a genuine, identified purpose.

AI and inferred data: a critical expansion

Paragraph 3.7 of the updated guidance addresses something that many organisations are only beginning to grapple with: where an entity creates personal information through artificial intelligence, automated decision-making, data analytics, online cookies, or internet of things (IoT) devices (i.e. by generating, inferring, or observing information from other data already held) this constitutes a collection of personal information, and APP 3 obligations apply in full.

This is a significant clarification. If your AI system generates a profile, prediction, or categorisation about an individual based on data you already hold, that output is collected personal information and must comply with APP 3, including that:

• it must be reasonably necessary for your functions or activities
• it must be generated by fair and lawful means, and
• if it is sensitive information, consent or an exception under APP 3 will be required.

Organisations deploying AI tools, whether for customer segmentation, fraud detection, credit decisions, or any other purpose, should review whether the inferences they are generating meet these requirements.

Fair and Lawful Collection Practices

The guidance expands meaningfully on what a “fair” means of collection constitutes under APP 3.5. Fairness is not a fixed concept as it is assessed against community values, the context of collection, and the reasonable expectations of the individual.

Key factors the OAIC identifies as relevant to fairness include:

• Whether the individual is aware their personal information is being collected (transparency through privacy policies and collection notices is necessary, but not sufficient on its own)
• Whether the individual would reasonably expect their information to be collected in this way and for this purpose
• Whether the individual’s choices are being distorted or manipulated through poor online choice architecture, including “confirm shaming”, bundled consent, biased framing, and default settings that push individuals toward sharing more data than they intended
• The risk of harm to the individual from the collection, including risks of discrimination, particularly relevant to biometric and sensitive information
• Whether the individual is in a vulnerable situation, including children, people experiencing financial distress, people with language or literacy barriers, and those in environments with significant power imbalances (such as rental applicants who cannot choose which platform to use)

The guidance also reinforces that publicly available information, including information scraped from the internet, does not automatically mean an entity can collect and use it however it wishes. Collection of publicly available information must still comply with APP 3 or APP 4, and once collected, the information is subject to all APPs.

Risks with Automated Collection Technologies

The updated guidance pays close attention to automated collection methods, including data scraping, web crawling, and third-party tracking pixels. The OAIC notes that these methods can inadvertently be configured to collect sensitive information and that entities should exercise particular caution.

The guidance also notes that even momentary collection (e.g. holding personal information for milliseconds before it is destroyed or passed on) constitutes a collection for Privacy Act purposes, as determined in the recent Bunnings decision. This has real implications for entities operating facial recognition systems, digital identity exchanges, or any system that processes personal information in transit.

Use of Third Parties and Offshore Data Handling

The guidance emphasises that where an entity engages a third party to collect personal information on its behalf, contractual arrangements must cover how personal information will be handled and that the third party understands its Privacy Act obligations. This is especially important where the third party is located offshore, as the entity may be held liable for the acts of that offshore third party.

Two entities can collect the same personal information, such as where one entity collects information pursuant to a contract with another. Whether the entity with contractual control (but not physical possession) is taken to have collected the information depends on the degree of control it exercises over the data under the contractual arrangements.

Reasonable Expectations Around Collection and Use

The concept of reasonable expectations runs throughout the updated guidance. Individuals’ expectations are shaped by what they were told at the point of collection, the terms and conditions of the service they are using, the context in which their information was originally provided, and broader community norms.

The guidance makes clear that an entity cannot consider collection to be fair simply because it has published a notice about it. Consent cannot be inferred from non-objection. And where individuals have no real choice about whether to engage with a platform, as is common in the rental market, the OAIC has shown it will look carefully at whether collection in that context is truly fair.

Practical Implications for Affected Organisations

The updated guidance has several clear practical implications for Australian entities covered by the Privacy Act:

1. Audit your data inventory. For every category of personal information you collect, ask: is this reasonably necessary for a specific function or activity? Could we achieve the same outcome with less data? If you cannot answer these questions, that is a risk.
2. Map your AI-generated and inferred data. If you use AI, machine learning, analytics, cookies, or IoT devices to generate, infer, or observe information about individuals, treat the outputs as collected personal information. Apply the same necessity and proportionality analysis you would apply to directly collected data.
3. Review your online forms and choice architecture. Examine how your data collection forms are designed. Are users given genuine choices? Are consent mechanisms bundled? Are defaults set to maximum data collection? Unfair designs that pressure users to provide personal information are increasingly on the OAIC’s radar.
4. Check your third-party and offshore arrangements. Ensure contracts with data processors and third-party collectors include appropriate privacy obligations. Do not assume that outsourcing collection transfers your Privacy Act liability.
5. Update your privacy policies and collection notices. Ensure they accurately describe what you collect, how you collect it, and why, including any AI-generated or inferred data. Transparency is a necessary (if not sufficient) component of fair collection.
6. Pay particular attention to sensitive information. Review all sensitive information collections and confirm either that valid consent is in place or that a specific exception in APP 3.4 applies. Do not rely on implied consent or notice alone.

Conclusion

The OAIC’s updated APP 3 guidance reflects a maturing regulatory approach to privacy in Australia, which takes seriously the realities of AI, automated decision-making, and data-intensive business models. The explicit confirmation that generating, inferring, or observing personal information through AI constitutes a “collection” subject to APP 3 is a significant development that many organisations will need to act on promptly.

The core message of the guidance is not new, but it is stated with increasing force: collect only what you need, collect it fairly and lawfully, and be prepared to demonstrate why every data point you hold is reasonably necessary for your functions and activities. In a regulatory environment where the OAIC is initiating investigations and making determinations against household-name entities, this is not a standard that organisations can afford to treat as aspirational.

If you would like assistance reviewing your data collection practices, AI governance frameworks, or privacy documentation in light of the updated guidance, the team at Privacy 108 is here to help.

This post has been prepared for general informational purposes only and does not constitute legal advice. Privacy 108 recommends seeking specific legal advice regarding your organisation’s compliance obligations.

References: OAIC, Chapter 3: Australian Privacy Principle 3 — Collection of Solicited Personal Information, Version 1.2, May 2026; APP 3 Flowchart (May 2026); Commissioner Initiated Investigation into IRE Pty Ltd (Privacy) [2026] AICmr 24; Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130; Court Data Australia and Office of the Australian Information Commissioner [2025] ARTA 876.