What To Do When an Organisation Asks for It'; ?> Privacy laws generally include a requirement that personal data must not be collected unless it is relevant, and the data collected must not be excessive.

But most forms that people are expected to fill in when they deal with organisations contain requests for personal data that is irrelevant. And the excessive data that they ask for may be sensitive to you.

This document provides guidance on what you should do when you're confronted by unreasonable demands of these kinds.

If you just want the summary, you can skip the explanations and go to the Action Points.

Two companion documents deal with the following related topics:

Why Do Organisations Need Personal Data?

For some interactions between people and organisations, the organisation needs no information about you at all. For example, when you make a general enquiry at a front counter, to a call-centre, or by email or web-form, the organisation has no justification for demanding any information about you. (But of course they can ask for it, and if it's 'what name should I use for you?', 'where shall I send the brochure?' or 'what number do you want me to call you back on?', you probably want to give it to them).

Similarly, no personal data is needed for a great many consumer purchases, all the way from a cup of coffee, via a supermarket trolley-full of goods, to a houseful of furniture – provided that the seller has received payment in cash or some other reliable form that can't 'go bad' on them.

On the other hand, for many interactions between people and organisations, the organisation may need some personal data. There are three broad reasons that are good ones:

There is a fourth broad reason, that may or may not be good enough to justify demands for data:

Some of the data that an organisation seeks from you, or from somewhere else, may be sensitive. For example, you may wish to avoid having your home-address in the organisation's files if one of the people in the household has been subjected to harassment or stalking; so you might provide a P.O. Box, or an indirect address c/- someone else, or just the address of a trusted friend or relative. Sensitivity is a personal thing, not something that can be decided by companies, government agencies or even parliaments.

But most people, most of the time, are happy to provide data to organisations, provided that they understand why it is relevant, and they regard the organisation as being trustworthy.

This document is about what you should do when personal data is demanded that you think is unreasonable.

The Starting-Point

Take into account the following:

The Action Points

If you don't want to provide particular personal data, or even any personal data at all, here's what we suggest you should do:

The First Round – Negotiate

  1. Ask the organisation why it wants the information.
    It's possible that they will have an explanation that satisifies your concerns
  2. If the answer fails to convince you the information is necessary, then:
  3. If the organisation's reason is only partly relevant, then provide the information that you think is relevant.
    For example, instead of revealing your birth date, it may suffice to declare that you are over the age of 18, or under the age of 65
  4. If the organisation persists in asking for the data, you may want to ask for more information about their privacy policies generally, and their use of this data in particular. In particular:

In many cases, organisations will accept forms that don't disclose irrelevant data, and in some cases they will overlook the fact that the data hasn't been provided (e.g. because they know that the form doesn't work in all circumstances).

The Second Round – Negotiate Harder

If the organisation persists, here's what you can do next:

  1. If the organisation insists that all sections must be completed, avoid unpleasant confrontation. (It doesn't help anybody)
    For example, in some circumstances you can ask for a form to take home and mail in. Or you can print out the web-form that refuses to let you leave an answer blank, write in the answers, and mail it in
  2. If the organisation still says that it won't accept the document, tell them that "I want a formal internal review by a senior manager, before I complain officially to the regulator".
    Be vague about which regulator you will complain to. Let them imagine whichever regulator they're most concerned about.
    If they refuse to pass it up to a manager, write down the date and time, and the name of the person who did the refusing, and preferably the words they used. (They look bad in the eyes of a regulator if they had an opportunity to review the decision and failed to do so).
  3. If a manager conducts a review, patiently explain your concern – remember that it may be the first time that the manager has heard about the problem. You might want to mention identity theft, sensitivity of the data to you, or sensitivity of that kind of information in our culture. You do not have to expose yourself – that's the point of privacy! – but the manager needs to be able to understand that you are both concerned and rational. Ask again why they need that personal data . If you still meet resistance, you can increase the pressure.
    For example:

Many problems can be resolved in a reasonable manner at this stage.

The Third Round – Take it to a Regulator

If the organisation still unreasonably demands personal data, write down the reasons you are concerned about it.

If your reasons make sense once you see them on paper, consider sending a letter of complaint to the relevant regulator or oversight agency, such as a Privacy Commissioner.

There are resources on this web-site that can help you work out who to write to, and how to prepare the complaint

The Fourth Round – Take it to the Media

Some regulators are effective; but all regulators have limited powers, many have very limited resources, and some have very little real commitment to actually helping people. So sometimes the most effective approach is to get the media involved in the matter.