Data Consent Form (Australia)

A Data Consent Form in Australia is a legally binding written instrument.

Australian Privacy Principle 3 governs the collection of solicited personal information. Under APP 3.3, an APP entity must not collect sensitive information about an individual unless the individual consents and the information is reasonably necessary for one or more of the entity's functions. Sensitive information is defined broadly in s 6(1) of the Privacy Act 1988 (Cth) to include health information, biometric information, genetic information, information about racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, sexual orientation or practices, criminal record, and trade union membership. Sensitive information attracts substantially greater protections than ordinary personal information, and explicit consent is the standard requirement for its collection.

Under APP 6, an APP entity that holds personal information about an individual may only use or disclose it for the primary purpose of collection, a directly related secondary purpose, or another secondary purpose if the individual has consented. A written Data Consent Form documents that consent, specifying the secondary uses authorised by the individual and providing an evidentiary record for compliance purposes.

The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth) — introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) — requires APP entities to notify the OAIC and affected individuals when an eligible data breach occurs. A breach involving sensitive information collected under a consent form is particularly serious because the individual reasonably relied on the consent process to define how their information would be used. The consent form must therefore accurately describe how the information will be protected, who may access it, and how it will be destroyed or de-identified once no longer needed under APP 11.2.

The OAIC's Australian Privacy Act Review Report (2023) recommended significant reforms including expanded individual rights to erasure and objection, and a strengthened consent framework. Australian organisations should monitor the progress of reform legislation and be prepared to update their consent forms when new requirements are enacted. The Spam Act 2003 (Cth), enforced by the Australian Communications and Media Authority (ACMA), requires express or inferred consent before sending commercial electronic messages. A Data Consent Form that addresses both Privacy Act 1988 (Cth) APP consent and Spam Act 2003 (Cth) marketing consent in one document reduces administrative burden while creating a clear evidentiary record. Under the Do Not Call Register Act 2006 (Cth), telemarketers must also obtain consent before calling individuals registered on the Do Not Call Register administered by the ACMA. Health service providers should note that the My Health Records Act 2012 (Cth) s 41 imposes specific consent requirements for uploading health information to the My Health Record system administered by the Australian Digital Health Agency (ADHA), which are separate from and additional to APP consent requirements. Forms-legal.com provides this template as a starting point for Privacy Act 1988-compliant consent documentation.

A Data Consent Form is required in a range of specific circumstances under Australian privacy law where the APP entity needs to rely on consent as the lawful basis for collecting, using, or disclosing personal information.

Collection of sensitive information: Under APP 3.3 of the Privacy Act 1988 (Cth), collecting sensitive information — including health, biometric, genetic, racial, religious, sexual orientation, criminal record, and trade union information — generally requires express consent from the individual. A written consent form is the most reliable way to document that consent and prove it meets the OAIC's four criteria: voluntary, informed, current, and specific.

Health and medical services: Health service providers, clinical trial operators, allied health practitioners, and aged care providers regularly collect health information about patients and residents. Under s 6 of the Privacy Act 1988 (Cth), health information is sensitive information requiring consent. The My Health Records Act 2012 (Cth) also requires specific consent processes for uploading health information to the My Health Record system administered by the Australian Digital Health Agency.

Direct marketing: Under APP 7 of the Privacy Act 1988 (Cth), an organisation may only use or disclose personal information about an individual for direct marketing purposes if the individual has consented, or if certain other conditions apply. Where an organisation relies on consent for direct marketing, the consent must be clearly documented. The Spam Act 2003 (Cth) imposes additional consent requirements for sending commercial electronic messages.

Overseas disclosure: APP 8.1 requires an APP entity to take reasonable steps to ensure that any overseas recipient handles personal information consistently with the APPs before disclosing it. Where the entity relies on the individual's consent under APP 8.2(b) to authorise overseas disclosure, the consent form must clearly inform the individual that the overseas country may not have equivalent privacy protections to Australia, and that the APP entity will not be liable for the overseas recipient's handling of the information.

Research and data analytics: Academic institutions, market research companies, and data analytics firms that collect personal information for research purposes must generally obtain the individual's consent under APP 3, unless a specific research exception applies under Part III of the Privacy Act 1988 (Cth). A written consent form documents the scope of the research and the individual's agreement to participate.

An Australian Data Consent Form must include the following elements to produce a valid consent under the Privacy Act 1988 (Cth) and satisfy the OAIC's four criteria for effective consent: voluntary, informed, current, and specific.

Organisation identification: The full legal name, ABN, and contact details (including a privacy officer email or phone number) of the APP entity collecting the personal information. Under APP 1.4, this information must be included in the organisation's Privacy Policy, which the consent form should reference.

Description of information collected: A clear and specific description of the types of personal information being collected, distinguishing between ordinary personal information (such as name, contact details, and employment information) and sensitive information (health, biometric, racial, or other categories under s 6(1) of the Privacy Act 1988 (Cth)) that attract heightened obligations.

Purpose of collection: A precise statement of the primary purpose for which the information is collected — and, if the organisation intends to use it for secondary purposes, each secondary purpose must be specifically identified and separately consented to. Bundled or blanket consents that fail to identify specific secondary uses may not satisfy the 'specific' consent requirement.

Storage and security: A description of how the information will be stored and the security measures in place to protect it from misuse, interference, loss, and unauthorised access under APP 11 of the Privacy Act 1988 (Cth). Reference to the OAIC's Guide to Securing Personal Information is recommended.

Third-party disclosure: Identification of any third parties to whom the information may be disclosed, including overseas recipients. Where information will be disclosed overseas, the consent form must satisfy APP 8.2(b) requirements: the individual must expressly consent knowing that the overseas country may not afford equivalent privacy protections.

Individual rights: A statement of the individual's rights under APPs 12 and 13 — the right to access their personal information held by the organisation, and the right to request correction of inaccurate, incomplete, or out-of-date information.

Withdrawal of consent: A clear statement that consent may be withdrawn at any time, the mechanism for withdrawal (email, written notice, or an online form), and the consequences of withdrawal for the organisation's ability to provide relevant services.

Signature block: The individual's name, signature, and date. For digital consent forms, an electronic signature satisfying the Electronic Transactions Act 1999 (Cth) or the relevant state equivalent — including the Electronic Transactions Act 2000 (NSW) and the Electronic Transactions (Victoria) Act 2000 (Vic) — is legally effective.

Marketing consent: Where the organisation also wishes to use the individual's contact details for direct marketing under APP 7 of the Privacy Act 1988 (Cth) and the Spam Act 2003 (Cth), a separate clearly labelled marketing consent checkbox must be included. Bundling direct marketing consent with consent to primary data collection is a common compliance failure that the OAIC has addressed in multiple investigation reports.

Children and minors: Where personal information may be collected from individuals under 18, the consent form must address the age threshold for valid consent and whether parental or guardian consent is required. The OAIC's guidance on privacy and children recommends that organisations apply enhanced protections to information collected from individuals under 15.

Version control: The form should include a version number and effective date so that the organisation can demonstrate which consent terms an individual agreed to at a particular point in time — important where the Privacy Act 1988 (Cth) is amended and consent forms are updated. Forms-legal.com provides this template as a starting point for Privacy Act 1988-compliant consent documentation in Australia.