Chapter 9
Australian Privacy Principle 6–use or disclosure of personal information
Introduction
9.1
Australian Privacy Principle 6 (APP 6) outlines the circumstances
in which entities may use or disclose personal information that has been
collected or received.[1]
9.2
The Companion Guide states that from this principle, it is implicit that
an entity may use or disclose personal information for the primary purpose that
the information was collected for. This personal information can only be used
or disclosed for a secondary purpose (a purpose other than the primary
purpose), if the individual concerned has consented.[2]
However, the Companion Guide explains that in some circumstances, the public
interest outweighs individual privacy, and consequently a series of exceptions
which allow the use or disclosure of personal information without consent, are
provided for in APP 6. The exceptions are based on those which currently
exist under National Privacy Principle 2.1, with the addition of some new
exceptions. Further, this principle does not apply to the use or disclosure of
government related identifiers or personal information for the purposes of
direct marketing – use and disclosure for these purposes is covered in separate
principles.[3]
Background
9.3
Provisions regarding the use and disclosure of personal information by
agencies are contained in Information Privacy Principles (IPPs) 9 to 11. These
provide that:
-
personal information should only be used for a purpose which is
relevant to the information (IPP 9);
-
personal information should only be used for particular purposes
for which it was collected unless certain exceptions apply (IPP 10);
-
personal information should not be disclosed to a person, body or
agency other than the individual unless certain exceptions apply (IPP 11).[4]
9.4
National Privacy Principle (NPP) 2 provides for the use and
disclosure of personal information by organisations. Under NPP 2 the use
and disclosure of personal information for a purpose other than the 'primary
purpose' of collection, is prohibited, unless certain exceptions apply.[5]
9.5
The NPPs and IPPs contain some similar exceptions, permitting the use
and disclosure of personal information in situations in which:
-
the individual consents to the use or disclosure;
-
use or disclosure of the personal information is authorised by or
under law;
-
use or disclosure of the personal information is necessary to
lessen or prevent a serious and imminent threat to the life or health of an
individual;
-
use or disclosure is reasonably necessary to enforce certain activities
of an enforcement body.[6]
9.6
However, NPP 2 contains a much larger list of exceptions than the
IPPs.[7]
9.7
In its review, the ALRC considered, amongst other issues:
-
the appropriateness of consolidating the use and disclosure
provisions in the IPPs and NPPs into a single principle;
-
the circumstances in which the use and disclosure of personal
information for a purpose other than the purpose the information was collected
for, should be permitted; and
-
whether any use or disclosure for a purpose other than the
original purpose for which the information was collected, should be recorded.[8]
9.8
The ALRC considered whether use and disclosure provisions should be
consolidated into a single principle and came to the view that a single privacy
principle should deal with use and disclosure for both agencies and
organisations. The ALRC commented that this would reduce the complexity of
privacy regulation and avoid technical legal arguments about whether an action
constitutes a use or disclosure.[9]
9.9
The ALRC noted that the principles in both the IPPs and NPPs relating to
use and disclosure 'adopt a prescriptive approach' and do not contain an
overriding qualifier such as permitting disclosure where it is 'reasonable' in
the circumstances. Use and disclosure of personal information is permitted for
the primary purpose for which it was collected unless an exception authorises
this action. The ALRC noted that these exceptions do not require the use or
disclosure of personal information – they merely permit the use or disclosure
in certain circumstances.[10]
9.10
The ALRC considered the exceptions to the prohibition on use or
disclosure and came to the view that the exceptions as they apply to agencies
and organisations should be consolidated. In addition, the ALRC commented, in
relation to specific exceptions as follows:
-
use or disclosure for a secondary purpose where there is a
requisite connection with the primary purpose of collection, and within the
reasonable expectations of the individual–the NPPs include this exception and
the ALRC considered that it should also apply to agencies. In relation to sensitive
information, the ALRC recommended that the secondary purpose be directly
related to the primary purpose. The reasonable expectation test was seen as balancing
the loosening of the provisions governing agencies and is unlikely to be
particularly onerous;[11]
-
authorisation of the use or disclosure of personal information in
circumstances in which an individual has consented to that use or
disclosure–this exception should be included in the use and disclosure
principle;[12]
-
use or disclosure of information in circumstances by agencies and
organisations where they have reason to suspect unlawful activity–the ALRC
considered this an appropriate exception but that it should only apply if such
use or disclosure is a necessary part of the entity's investigation. The ALRC
did not think it was necessary to expressly extend the exception to suspected
serious misconduct, despite submissions to that effect by some stakeholders, as
the OPC's guidance on investigation includes investigation of professional
misconduct;[13]
and
-
law enforcement and regulatory purposes–the ALRC support an
exception for the use or disclosure of information for a secondary purpose if
it is necessary for, or on behalf of, an enforcement body to perform its
functions. Rather than the more general exception in IPPs 10 and 11, the ALRC
preferred the format of NPP 2.1(h) in this regard as it listed specific
functions to which such an exception would apply.[14]
9.11
In relation to the emergency, disaster and threat to life, health or
safety exception, currently, personal information can be used and disclosed if
it is necessary to lessen or prevent a serious and imminent threat to an
individual's life or safety. The NPPs also allow secondary use and disclosure
in certain circumstances. The ALRC formed the view that the use and disclosure
of personal information should be permitted if an agency or organisation
reasonably believes that such a use or disclosure is necessary to lessen or
prevent a serious threat to an individual's life, or the health and safety of
an individual or the public. The ALRC explained the 'reasonable belief' test
was an important safeguard, as an agency or organisation 'will need to have
reasonable grounds for its belief that the proposed use or disclosure is
essential, and not merely helpful, desirable, or convenient.'[15]
9.12
While an assessment of what constitutes a 'serious threat' would have to
consider both the likelihood of harm, and the gravity of the outcome, the ALRC
considered it prudent to retain this term. However, the ALRC suggested that the
requirement that any threat be 'imminent' be removed, as it focuses on the
immediacy of a threat, and in the ALRC's view, agencies and organisations 'should
be able to take preventative action to stop a threat from escalating to the
point of materialisation.'[16]
9.13
In its submission to the Legal and Constitutional Affairs Committee
inquiry, the Australian Privacy Foundation suggested that the exception
regarding the use or disclosure of personal information required or authorised
by or under law should be restricted by removing the terms 'authorised' and
under to remove any subjectivity, and providing a clear definition of what is
encompassed by the term 'law'.[17]
9.14
The ALRC expressed the view that there must be provision for an
exception which allows the use or disclosure of personal information where it
is required or authorised by or under law. The ALRC noted suggestions that this
exception should be narrowed, however the ALRC argued that restricting the
exception might have 'far-reaching, and possibly unintended, consequences.' The
ALRC suggested some important safeguards on this exception, recommending that
the Privacy Act be amended to specify what is included by 'law' with regard to
this exception, and suggesting that the OPC develop guidelines regarding when
an act or practice will be required or authorised under law. Further, the ALRC
explained that agencies and organisations must:
...be able to establish the basis upon which they assert
their entitlement to rely on the exception. That is, they will still need to be
able to identify the law which they assert requires or authorises a particular
use or disclosure.[18]
9.15
While neither the IPPs nor the NPPs provide for the use and disclosure
of personal information necessary for the purposes of confidential alternative
dispute resolution (ADR) processes, the ALRC recommended that such an exception
be included. The current Privacy Act, without such an exception, has the potential
to present significant barriers to the resolution of disputes through ADR,
which is 'facilitated by the disclosure of all relevant information by the
parties to dispute resolution bodies, including personal information about
third parties.'[19]
9.16
In providing this recommendation, the ALRC noted that ADR 'potentially
could include an extremely broad range of situations.' The ALRC considered that
the most appropriate way to limit the scope of the provision would be to
provide confidentiality requirements, and the particulars of what constitutes
confidentiality requirements would be articulated by guidance formulated by the
OPC in consultation with the National Alternative Dispute Resolution Advisory
Council.[20]
9.17
The ALRC considered the inclusion of an exception allowing use and
disclosure for the establishment, pursuit or defence of legal rights. However,
the ALRC came to the conclusion that such an exemption would not practically
assist intending litigants in a substantial way, as the exception would permit
and not compel the disclosure of information. Further, the ALRC noted that
processes via court orders exist for the purposes of obtaining information for
the purposes of legal rights, and that these processes are subject to
established rules to prevent any abuse by the parties involved, and therefore
provide the most appropriate way of accessing required information for these
purposes.[21]
9.18
In its report, the ALRC noted the significant issues and competing
considerations surrounding the authorisation for the use and disclosure of
personal information for the purposes of missing persons investigations. While
such disclosures may assist in locating missing persons who want to be located,
it was noted that there are circumstances in which the missing person does not
wish to be located for personal reasons, or due to fear for their own safety.
In light of this, the ALRC noted that creating a general exception regarding
missing person investigations could interfere with the privacy of an individual
and risk their safety. The ALRC concluded that other means may be used to
obtain information to assist missing persons investigations:
Where an agency or organisation has a legitimate reason to
search for a missing person, it may be able to avail itself of one of the other
exceptions to the general prohibition in the 'Use and Disclosure' principle, or
it may seek a public interest determination.[22]
Recording use or disclosure for a
secondary purpose
9.19
The ALRC formed the view that, as is currently the case under IPPs 10
and 11 and NPP 2, agencies and organisations should be required to record
any use or disclosure made under the exception regarding law enforcement. The
ALRC noted calls from other committees and stakeholders for expanding the
requirements regarding the logging of use and disclosures made for purposes
other than the primary purpose of collection. However, the ALRC concluded that
requiring that each use and disclosure made under an exception be recorded
would not be justified and would be hugely impractical, costly and onerous for
organisations and agencies.[23]
Government response
9.20
The Government accepted that a use and disclosure principle was
necessary and that these requirements should 'be balanced so as to recognise
other important public interests that may, on occasion, compete with the public
interest of maintaining the individual's privacy'. The Government also agreed
that the use and disclosure of personal information should be allowed for a
secondary purpose if the individual would reasonably expect their information to
be used for the secondary purpose, and the secondary purpose is related to the
primary purpose of collection, or in the case of sensitive information, the
secondary purpose is directly related to the primary purpose of collection.[24]
9.21
The Government response also indicated that, in addition to the
exceptions recommended by the ALRC, it considered that further exceptions were
necessary relating to circumstances in which:
-
the individual consents to the use or disclosure;
-
unlawful activity or serious misconduct is suspected and the
agency or organisation uses or discloses personal information as a necessary
part of its own investigation of the matter or in reporting its concerns to
relevant persons or authorities;
-
the use or disclosure is required or authorised by or under law;
and
-
the organisation or agency reasonably believes that the use or
disclosure is reasonably necessary for the prevention, investigation, detection
or prosecution of breaches of a law by or on behalf of an enforcement body.[25]
9.22
The Government also identified additional exceptions related to matters
addressed in other recommendations made by the ALRC in relation to confidential
alternative dispute resolution; research purposes; and provision of a health
service.
9.23
In agreeing that there should be provision for the use and disclosure of
personal information where an agency or organisation reasonably believes it is
necessary to lessen or prevent a serious threat to an individual's life, health
or safety or public health or public safety, the Government acknowledged the
concerns of some stakeholders that the exception was too broad. While the
Government agreed with the removal of the term 'imminent', the response
suggested that in order to provide an adequate safeguard, an additional
requirement that it be unreasonable or impracticable to obtain an individual's
consent to such a use or disclosure, be added to the exception.[26]
9.24
The Government indicated its support for an express exception to allow
the use or disclosure of information for a missing person investigation.
Recognising that there are legitimate reasons why some individuals may not wish
to be located, the Government outlined that the exception would only permit,
and not compel, the use or disclosure of personal information in these
circumstances. Further, the Government stated that any use or disclosure of
personal information for this purpose would be subject to binding rules issued
by the Privacy Commissioner in a legislative instrument subject to parliamentary
scrutiny. The Government suggested that the rules issued by the Privacy
Commissioner should be developed in consultation with relevant stakeholders,
and should address matters including that uses and disclosures should only be
in response to requests from appropriate bodies with recognised authority for
investigating reported missing persons; and where it is either unreasonable or
impracticable to obtain consent from the individual, any use or disclosure
should not go against any known wishes of the individual.[27]
Issues
Structure and terminology
9.25
Various submitters raised concerns about the structure of APP 6 and
the terminology used. Professor Graham Greenleaf and Mr Nigel Waters noted that
the ALRC's Unified Privacy Principle (UPP) 5 provides a single list of
'conditions' on the use or disclosure of personal information, whereas
APP 6 splits the list between APP 6(1) and APP 6(2). They
expressed concern that this is misleading, as without making it clear that
APP 6(2) actually contains exceptions to providing consent for use and
disclosure, the principle:
...implies that consent has a much more prominent role than
it does in reality. Having consent as just one of a number of conditions for
use and disclosure in a single clause gives a much more realistic impression of
the effect of the law.[28]
9.26
The OPC also commented on the structure of APP 6 and suggested that
APP 6(1) and (2) be merged into a shorter simpler single provision.[29]
Privacy NSW added that, in its view, APP 6 is too complex and will not
assist people in understanding how their personal information may be managed.
An alternative form of words for the principle was suggested, providing an
initial link to APP 5:
If an entity has notified an individual about its intended
uses or disclosure of personal information it may carry out those uses or
disclosures. If an individual has not agreed to those uses or disclosures, the
entity may only use or disclose the information if the following circumstances
apply:...[30]
Conclusion
9.27
The committee again notes that general comments in relation to the structure
of the APPs have been made in chapter 3.
Use or disclosure–APP 6(1)
9.28
APP 6(1) provides that an entity should only disclose personal
information about an individual for the 'primary purpose', being the particular
purpose for which it was collected. The personal information can only be used
or disclosed for a 'secondary purpose' if the individual agrees to the use or
disclosure for that purpose, or if one of the exceptions in APP 6(2)
applies. The Office of the Guardian for Children and Young People (GCYP) noted
its partial support for this provision.[31]
9.29
The Office of the Information Commissioner, Queensland (OIC), raised
concerns that the test allowing the use or disclosure of information is too
loose 'as to render the prohibition on secondary use or disclosure meaningless'
and went on to state:
Entities have specific areas of operation which are necessarily
both broad albeit concentrated in a specific area...All activities conducted in
an entity can be related to all other activities...Under APP6 the potential
exists for the secondary use or disclosure of any personal information which in
the control or possession of an entity irrespective that the primary purpose is
widely different.[32]
9.30
The OIC went on to note that privacy legislation in place in Queensland
only allows 'use' for a secondary purpose, and that secondary purpose must be
directly related to the primary purpose. According to the OIC, it is determined
objectively, rather than subjectively. The OIC suggests that this provision be
limited in a similar manner to the Queensland legislation.[33]
9.31
A number of submitters, for example, the Australian Institute of Credit
Management (AICM), requested clear guidance as to what might constitute a
secondary purpose, as this concept does not appear to be defined within the
exposure draft. AICM was concerned that without further clarity regarding the
concept of a secondary purpose, use or disclosure of personal information which
has a deleterious impact on individuals may occur.[34]
These concerns were echoed by the Law Institute of Victoria (LIV), which also
called for guidance on the terms 'primary purpose' and 'secondary purpose' to
assist entities to adequately comply with the principle. The LIV also noted
that such guidance is currently lacking under the NPP as well.[35]
9.32
The Australian Bankers' Association (ABA) noted that unlike NPP 2,
APP 6(1) refers to the primary purpose of collection as a 'particular
purpose', and this could have implications for the financial services industry:
The reference to "a particular purpose" should be
clear it encompasses all necessary or naturally related purposes. For example,
the particular purpose of processing a loan application should include all of
the possible activities and use and disclosures of personal information that
are necessary to maintain, service and recover the loan. It should be clarified
that all necessary or naturally related purposes are able to be described in
this way and are taken to be included in the meaning of "particular purpose"...
However, compared with the reference to "particular purpose" in APP 6
subsection 7(1), sub-sections 7(2)(h) and (i) suggest that the wider approach
to activities associated with "particular purpose" in the case of
financial services might not be available.[36]
9.33
Professor Greenleaf and Mr Waters also suggested changes to the
terminology used in this subsection, noting that as an entity may have more
than one primary or secondary purpose, the phrases 'a primary purpose'
and 'a secondary purpose' should be used in place of 'the primary
purpose' and 'the secondary purpose'.[37]
Conclusion
9.34
The committee notes that the definition of the term 'related', provided
in the revised Explanatory Memorandum for the Privacy Amendment (Private
Sector) Bill 2000, may assist in the interpretation of the term 'secondary
purpose'. The Explanatory Memorandum states:
To be "related", the secondary purpose must be
something that arises in the context of the primary purpose. For example, a
business that collects personal information about its clients may use that
information to notify its clients of its change of business address.[38]
9.35
The committee notes that the ALRC took such issues into consideration in
its report, and formed the view that it is not necessary to require a direct relationship
between the primary and secondary purpose with regard to the use and disclosure
of non-sensitive information. In fact, the ALRC noted that such a requirement
could prove to be significantly onerous for organisations. The ALRC further
noted that the removal of the direct relation requirement for the use of
non-sensitive information in relation to agencies would be effectively balanced
by the introduction of the reasonable expectations test. In summary, the ALRC
explained, the:
...fact that a primary purpose is related to a secondary
purpose increases the likelihood that an individual would reasonably expect his
or her personal information to be used or disclosed for that secondary purpose.[39]
9.36
The committee notes concerns about ambiguity of the terms 'primary' and
'secondary' purpose and considers that further guidance on the meaning of these
terms would be beneficial.
Exceptions–APP 6(2)
9.37
APP 6(2) provides a list of exceptions to APP 6(1), which
allow the use or disclosure of personal information without consent. The ABA
welcomed the list of exceptions in AAP 6(2) as practical.[40]
Authorised or required by or under
Australian law–AAP 6(2)(b)
9.38
Submissions commented on the exception allowing the use or disclosure of
personal information where the information is required or authorised by law, or
the order of a court or tribunal. Professor Greenleaf and Mr Waters raised
concerns that the insertion of the word 'authorised' broadens this exception,
and makes its application subjective, as opposed to simply retaining the
stricter 'required by law'.[41]
9.39
The Australian Direct Marketing Association and Google argued that the
paragraph should be amended to accommodate the requirements of foreign laws, as
some companies will be beholden to both Australian law, and the law of other
countries in which they carry out business.[42]
Google explained:
For example, a foreign country may mandate disclosure of
personal information in response to a subpoena issued by a court exercising
jurisdiction over the operations of the service provider in that foreign
country. It would be inappropriate to place the service provider in jeopardy
under Australian law for responding to valid court process in a foreign
jurisdiction.[43]
Conclusion
9.40
Similar concerns were taken into consideration in the ALRC's review;
however, the ALRC did not deem it appropriate to further restrict this
exception. The committee notes that the ALRC recommended certain safeguards
pertaining to this exception, including that agencies and organisations must be
able to provide the basis on which they claim the exception by naming the law
which requires or authorises the use or disclosure.[44]
The committee notes that the Government supported the retention of this
exception in its response.[45]
9.41
As discussed in previous chapters, the committee notes that the
provisions in the current Privacy Act which provide that acts or practices
undertaken outside of Australia which are required by 'an applicable law of a
foreign country' will not be taken as a breach of privacy, will be replicated
in the new Privacy Act.[46]
Serious threat to life, health or
safety–APP 6(2)(c)
9.42
Concerns were raised that the exception allowing the use or disclosure
of personal information to lessen or prevent a serious threat to the life,
health or safety of the public or an individual has been significantly expanded.
Professor Greenleaf and Mr Waters noted there is no reference to a requirement
for any threat to be 'imminent', and threats to the health and safety of
individuals and the public have been added. Further, they argued that the
condition that it be 'unreasonable or impracticable to obtain consent' is quite
weak, and that it should be replaced with a stronger provision that it be
physically or legally impracticable to obtain consent.[47]
9.43
The Australian Medical Association (AMA) also commented on the removal
of the word 'imminent', and was concerned to ensure that patient privacy is not
breached as a result of this change. The AMA submitted that guidance on what
effect the change in wording will have in practice, specifically how the
provision differs from the current requirement, and guidance on when it is
appropriate for a doctor to disclose a patient's personal information without
consent, will be required.[48]
9.44
Qantas raised concerns about the use of the term 'serious' and
recommended that the term be removed from throughout the exposure draft, as
'The question of "seriousness" will always be subjective'.
Therefore Qantas suggested that the following form of words would be more
appropriate for the exception: 'the entity reasonably believes that the use or
disclosure will lessen or prevent a threat'.[49]
9.45
While the Health Services Commissioner, Victoria (HSC) broadly supports
APP 6 as consistent with the Health Records Act 2001 (Vic), it was
noted that APP 6(2)(c)(ii),
may limit the ability of an entity to use or disclose personal information of
an individual suffering from psychiatric illness. The HSC suggested that the
appropriateness of this provision, with regards to health privacy, be
considered.[50]
Conclusion
9.46
The committee notes the ALRC's considerations regarding the use of the terms
'imminent' and 'serious'. In particular, the committee observes that the
removal of the term 'imminent' simply removes the need to assess the immediacy
of the threat. However, the retention of 'serious' ensures that an assessment
of the gravity of the potential outcome of a threat is assessed before a use or
disclosure is made.[51]
9.47
The committee also observes that the Government noted such concerns in
its response to the ALRC report. While the Government agreed with the removal
of the term 'imminent', it acknowledged concerns that the removal of the term
broadened the exception. To address these concerns, the Government proposed the
addition of a requirement that it be 'unreasonable or impracticable' to obtain
an individual's consent to a use or disclosure for this purpose.[52]
The committee notes that this has been taken into account in the exposure
draft.
9.48
The committee notes the concerns of the Health Services Commissioner and
suggests that the circumstances of individuals with psychiatric illness be
taken into consideration.
Unlawful activity–AAP 6(2)(d)
9.49
The Law Council of Australia and the Australian Direct Marketing
Association (ADMA), expressly supported the inclusion of a provision permitting
disclosure and use of personal information in circumstances of suspected
unlawful activity or misconduct of a serious nature. The Law Council of
Australia noted that the absence of such a provision in NPP 2 has caused
organisations significant issues to date.[53]
9.50
Various submitters noted concern about the limited application of
APP 6(2)(d)(i), and argued that entities should have more discretion
regarding disclosures in respect of potential unlawful activity or serious
misconduct. The Financial Services Council (FSC) and ABA suggested that
entities should also have some discretion to disclose information about any potential
unlawful activity or serious misconduct, even if it doesn't directly relate to
their own functions or activities.[54]
9.51
In contrast, Professor Greenleaf and Mr Waters argued that this
provision is not necessary, and could be used to compile and maintain
'blacklists' simply based on suspicion of wrongdoing, with no requirement that
any such listed individuals be afforded natural justice. Should this provision
be retained, they suggested that the exception should be conditional on the
entity undertaking 'appropriate action', within a reasonable period of time, to
prevent the creation of 'blacklists'.[55]
9.52
In its response to these matters, the Department of the Prime Minister
and Cabinet (the department) noted that while the use and disclosure of personal
information is permitted for any unlawful activity relating to the entity's
functions or activities, the use and disclosure of personal information should
not be permitted merely for minor breaches of misconduct. The department
further commented that these are issues that can be handled internally by the
entity without the need to use or disclose an individual's personal
information. The department concluded:
Consistent with the ALRC's views, the exception is aimed at
internal investigations by an entity about activities within or related to that
entity. If an entity believed that there was unlawfulness not related to its
own functions and activities, it may be possible to disclose the information
under the law enforcement exception in APP 6(2)(e).[56]
Conclusion
9.53
The committee notes concerns about the application of this exception.
However, the Government response makes it clear that the inclusion of an
exception allowing the use or disclosure of personal information where unlawful
activity or serious misconduct is suspected was supported.[57]
Further, the department has noted that the intention of the provision is that
it will only be applied to the internal investigations of an entity.
Enforcement related
activities–AAP 6(2)(e)
9.54
Professor Greenleaf and Mr Waters noted that while they believe this
provision is necessary, they are concerned that the exception allowing the use
and disclosure of personal information for the enforcement activities of an
enforcement body has been expanded, and subsequently weakened.[58]
9.55
The committee observes that the Government supported the inclusion of an
exception allowing the use or disclosure of personal information for law
enforcement activities in its response to the ALRC report.[59]
Diplomatic or consular
functions–APP 6(2)(f)
9.56
Concerns were raised by Professor Greenleaf and Mr Waters regarding the
exception allowing the use or disclosure of personal information for an
agency's diplomatic or consular functions or activities. They argued that this
new 'special pleading' provision allows the diplomatic services to use or
disclose personal information based solely on the entity's own 'reasonable
belief'. They submitted that 'any case for additional exceptions should be
argued rather than simply asserted'.[60]
9.57
The Office of the Victorian Privacy Commissioner (Privacy Victoria)
noted that the exceptions provided for in APP 6(2)(f) and (g) relate
solely to Commonwealth agencies. Privacy Victoria argued that given the APPs
are supposed to be simple and high-level, such express detail reduces the
clarity of the APPs and the ability of States and Territories to readily adopt
them with little amendment.[61]
The committee's comments in relation to agency specific exceptions are
canvassed in chapter 3.
Missing person–APP 6(2)(g)
9.58
APP 6(2)(g) provides an exception in relation to the use and
disclosure of personal information where it would assist to locate a person who
has been reported missing.
9.59
In its submission to the committee, the ALRC noted that the issue of disclosure
of personal information regarding missing persons has been dealt with
differently in the exposure draft than recommended by the ALRC in its report.
The ALRC explained that the matter was canvassed in its Issues Paper, and while
some stakeholders supported disclosure of information in such a situation,
there was concern among others that a missing person may not wish to be found.
Therefore, to 'create a general exception in respect of all missing person
investigations risks interfering with the privacy of certain missing
individuals and, possibly, endangering their lives'.[62]
The ALRC concluded that:
...the privacy principles did not need to be amended
expressly to allow agencies and organisations to use or disclose personal
information to assist in the investigation of missing persons, given that other
proposed principles should facilitate the disclosure of information in
appropriate circumstances (e.g. in relation to serious threats to a person’s
life, health or safety).[63]
9.60
Given that an exception regarding missing persons has been included in
the exposure draft of the APPs, the ALRC emphasised that the Australian Privacy
Rules proposed under section 21 of the exposure draft will be important in
providing the required constraints relating to the collection and use of personal
information to assist in the location of a missing person.[64]
9.61
Professor Greenleaf and Mr Waters also commented on the use of
Privacy Rules in relation to this exception and argued that guidelines
pertaining to this principle should be included in the APP itself, and not left
to regulations.[65]
9.62
The Office of the Guardian for Children and Young People (GCYP)
expressed concern that a missing person may not wish to be located for a number
of reasons, including for fear for their personal safety. The GCYP argued that
APP 6(2)(g)(i) is very broad, and that a 'clear definition and procedure
to test validity of an assumption that someone is "missing" is required.'[66]
Conclusion
9.63
The committee observes that the Government provided a detailed
explanation in its response to the ALRC's recommendations for its decision to
include an exception for the use and disclosure of information to assist in
locating missing persons. The Government acknowledged that in some cases a
missing person may not wish to be located. For this reason, the Government has
noted its intention to have binding rules for the use of this exception issued
by the Privacy Commissioner, covering a series of matters, including that any
use or disclosure should not go against 'any known wishes' of the individual,
that an assessment of whether the use or disclosure will pose a serious threat
to the individual be undertaken, and that any use or disclosure of personal
information should be limited. The Government has indicated that these rules
will be a legislative instrument and will therefore be subject to parliamentary
scrutiny.[67]
9.64
The intentions the Government signalled in its response to the ALRC
report were implemented in the exposure draft. As explained in the Companion
Guide, this exception will only be able to be used in accordance with the rules
issued by the Commissioner, as 'it is important that the permission to collect,
use or disclose personal information strikes the right balance, ensuring that persons
who have intentionally chosen to discontinue contact remain undisturbed'.[68]
9.65
The committee considers that the use of this exception, subject to rules
issued by the Australian Information Commissioner, will provide adequate
protection for those who do not wish to make contact with the people who are
looking for them and, at the same time, assist in those cases where the use and
disclosure of personal information is needed to locate genuinely missing
people.
Legal or equitable claim and
alternative dispute resolution process–APP 6(2)(h) and (i)
9.66
In its submission GCYP requested clarification of the scope of APP 6(2)(h),
relating to the use or disclosure of personal information for the purposes of a
legal or equitable claim, noting that agencies are already required to provide
information to the judiciary in certain circumstances. GCYP went on to state
that these legal requirements, in conjunction with the other provisions in
APP 6, give sufficient provision for disclosure without the inclusion of
this paragraph.[69]
9.67
Professor Greenleaf and Mr Waters further noted that APP 6(2)(h)
does not require any assessment of how trivial a 'legal or equitable claim' may
be in comparison with the impact that disclosure or use of information for such
a claim may have on an individual's privacy.[70]
9.68
The Law Council of Australia noted concern that APP 6(2)(h) and (i)
are not broad enough to adequately cover 'all disputes before alternative
dispute resolution bodies, tribunals or external dispute resolution schemes'.
Consequently, the Law Council suggested that if an entity believes use or
disclosure of personal information is reasonably necessary for the purposes of
a dispute before any such body, use or disclosure should be allowed under the
principle.[71]
9.69
Professor Greenleaf and Mr Waters suggested that the word 'prescribed'
be inserted into APP 6(2)(i) to ensure that only genuine alternative
dispute resolutions qualify under this exception.[72]
Conclusion
9.70
The committee supports the inclusion of the exceptions for legal or
equitable claims and alternative dispute resolution (ADR). The committee
considers that guidance from the Australian Information Commissioner will be
necessary to clarify the operation of these provisions and, in particular, to
address concerns such as those raised by the Law Council of Australia that
APP 6(2)(h) and (i) are not broad enough to adequately cover 'all disputes
before alternative dispute resolution bodies, tribunals or external dispute
resolution schemes'.
9.71
In relation to ADR, the committee notes that the ALRC recommended a
confidentiality safeguard to limit the scope of the exception regarding ADR,
and given this, the ALRC considered it unnecessary to provide any further
stipulation on the ADR process used, noting it could prove problematic, as such
a limitation could 'artificially fragment the application of the exceptions'.
The ALRC further noted:
...by its very nature, ADR is dynamic and diverse. Provided
the confidentiality safeguards outlined above are in place, this diversity
should be accommodated. This is best managed by applying the exception to the
broad ambit of ADR processes.[73]
9.72
The committee observes that the Government supported the inclusion of an
exemption for ADR processes in its response to the ALRC report, and encouraged
the development of appropriate guidance by the Privacy Commissioner.[74]
Additional exception
9.73
Qantas argued for an additional exception in relation to emergencies or
disasters. Qantas noted that under Part VIA of the current Privacy Act, in the
event of a situation declared an emergency or disaster by the Prime Minister,
certain personal information is allowed to be collected, used and disclosed,
and that this provision is to be replicated in the new Privacy Act. However,
Qantas was concerned that some emergency or disaster situations which do not
warrant a Prime Ministerial declaration, may still result in significant
injuries and it may be considered desirable to release personal information to
authorities in such instances. Consequently, Qantas suggested that an exception
be included in the legislation, allowing the disclosure or use of personal
information if, 'in the reasonable opinion of the entity, it is necessary for
or will assist in an appropriate response to an emergency or disaster.'[75]
9.74
The committee notes that following the introduction of Part VIA of the
current Privacy Act in 2006, the ALRC observed that stakeholders have indicated
that 'most, if not all, of the problems arising from the handling of personal
information in emergency situations have been dealt with adequately by the
advent of Part VIA.'[76]
9.75
The Companion Guide states that it is expected that Part VIA of the
current Privacy Act will be replicated in the new Privacy Act. The committee
notes the explanation by the ALRC in its report, which indicated that the
provisions in the privacy principles will apply to 'emergencies or other
threats to life that are not declared under Pt VIA, or the subject of a TPID'
[temporary public interest determination].[77]
The committee considers that it appears this is the function of
APP 6(2)(c).
Written note of use or
disclosure–APP 6(3)
9.76
GCYP noted in-principle support for this section, which requires a
written note of the use or disclosure of personal information for enforcement
activities permitted under APP 6(2)(e). However, GCYP requested guidance
on what constitutes a written note of use or disclosure, and requirements for
secure record keeping. GCYP also suggested that the following information
should be included in any such note:
- reasons
for overriding the client's wishes or for not seeking consent
- advice
disclosed, received or requested from others
- reasons
for not agreeing to an information sharing request
- what
information was collected, disclosed, with whom, and for what purpose
- any
follow up activity required by the organisation or entity.[78]
9.77
Professor Greenleaf and Mr Waters suggested that the requirement to
provide a written note should extend to paragraphs (2)(d), (f) and (g) as well,
as they are similar to (2)(e).[79]
Privacy NSW went further, and suggested that this requirement be extended to
any use or disclosure of personal information for a secondary purpose.[80]
9.78
The department, in responding to these suggestions, noted that the ALRC had
found that imposing a general legislative requirement to log use and disclosure
is, on balance, untenable. It noted that the sheer volume of use and disclosure
of personal information by agencies and organisations on a daily basis would
render such a requirement impractical, costly and onerous. However, the ALRC
believed there was considerable merit in imposing such a requirement in the
special context of law enforcement. Further, while there is an argument that
the unlawful activity exception in APP 6(2)(d) is similar to the law
enforcement exception, the ALRC noted that this potential overlap made it seem
unnecessary for the Privacy Act to require the logging of all use and
disclosure under the unlawful activity exception.[81]
Conclusion
9.79
The committee concludes that there is no reason to extend the provisions
of APP 6(3) to include other exceptions.
Exceptions–APP 6(5)
9.80
APP 6(5) provides that use and disclosure of government related
identifiers and personal information for the purposes of direct marketing are
not subject to APP 6. The GCYP noted its support for this provision.[82]
However, Professor Greenleaf and Mr Waters argued that this is a significant
departure from the ALRC's recommendations, and from the NPPs. They submitted
that the direct marketing and government identifier provisions were not
designed as 'standalone' principles, as reflected in:
...the ALRC's recommendations (UPPs 5, 6 & 10) and the existing
NPPs 2 & 7, which have direct marketing and identifier principles
as ‘extra requirements’ applying over and above the normal application of the
use and disclosure principle (to the extent that they are compatible).[83]
9.81
This argument was supported by Qantas Airways Limited, and is further
examined in chapter 10.[84]
9.82
However, Professor Greenleaf and Mr Waters suggests that if the direct
marketing and government identifier provisions are maintained as separate
principles, APP 6(5) should provide a clearer link to these separate
principles.[85]
Navigation: Previous Page | Contents | Next Page