Australian Privacy Principle 4—dealing with unsolicited personal information
(a) an APP entity receives personal information; and
(b) the entity did not solicit the information;
the entity must, within a reasonable period after receiving the information, determine whether or not the entity could have collected the information under Australian Privacy Principle 3 if the entity had solicited the information.
4.2 The APP entity may use or disclose the personal information for the purposes of making the determination under subclause 4.1.
(a) the APP entity determines that the entity could not have collected the personal information; and
(b) the information is not contained in a Commonwealth record;
the entity must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de identified.
4.4 If subclause 4.3 does not apply in relation to the personal information, Australian Privacy Principles 5 to 13 apply in relation to the information as if the entity had collected the information under Australian Privacy Principle 3.