A single ‘Use and Disclosure’ principle

25.11 As noted above, the IPPs contain separate ‘use’ and ‘disclosure’ principles. In contrast, the NPPs, and the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) (OECD Guidelines), deal with use and disclosure in a single privacy principle.[6]

25.12 In assessing the merits of dealing with use and disclosure in one principle, consideration needs to be given to the meanings of ‘use’ and ‘disclosure’. Section 6(1) of the Privacy Act 1988 (Cth) provides that:

use, in relation to information, does not include mere disclosure of the information, but does include the inclusion of the information in a publication.

25.13 The Privacy Act does not otherwise define ‘use’, nor does it define the concept of disclosure. Guidance issued by the OPC on the IPPs addresses the meaning of ‘use’. It provides that:

Use is interpreted broadly. It relates to managing personal information with an agency. As a general rule, any accessing by an agency of personal information in its control is a ‘use’. This includes:

  • searching records for any reason

  • using personal information in a record to make a decision

  • passing a record from one part of an agency to another part with a different function.[7]

25.14 The OPC’s guidance also addresses the meaning of disclosure, and provides examples of disclosures. It states that:

  • The Privacy Commissioner interprets disclosure as a release of personal information from the effective control of the agency. An agency may release the personal information:

  • automatically, to a person or body that the agency knows has a general authority to access that personal information; or

  • in response to a specific request.[8]

25.15 The OPC’s guidance states that an agency’s action cannot be both a use and disclosure.[9] This means that an agency has to decide whether to apply the principle relating to use, or that relating to disclosure. The guidance considers the circumstances in which passing personal information outside an agency is a ‘use’. It states that the test for categorising an action as a use or disclosure ‘is always whether or not the agency maintains control over that personal information’.[10]

Submissions and consultations

25.16 In Issues Paper 31, Review of Privacy (IP 31) the ALRC asked whether the IPPs, in addition to the NPPs, should deal with use and disclosure in one privacy principle.[11] In response to IP 31, a majority of stakeholders stated that agencies should be subject to a single privacy principle dealing with use and disclosure. The OPC submitted that a single use and disclosure principle would

assist in providing a consistent approach for the handling of personal information and may go some way to alleviating the confusion that surrounds the identification of whether certain activities and information handling practices are considered a ‘use’ or a ‘disclosure’ and which provisions and principles should apply.[12]

25.17 A number of other stakeholders expressed a similar view.[13] The National Health and Medical Research Council (NHMRC) noted that often ‘whether an information transaction is a “use” or a “disclosure” is determined by corporate structures rather than by practical differences in information-handling practices’.[14]

25.18 Some private sector stakeholders also favoured a single use and disclosure principle. It was submitted that where a private sector organisation must comply with the IPPs pursuant to a contract it has entered into with a public sector entity, it would be ‘useful’ for the Act to deal ‘consistently with the principles relating to all dealings with personal information, including use and disclosure’.[15]

25.19 Other stakeholders preferred that agencies be subject to separate use and disclosure principles.[16] For example, the Australian Federal Police (AFP) expressed the view that the current structure of the IPPs is working adequately and does not need to be changed.[17] The Department of Human Services submitted that separate principles align better with ‘secrecy provisions’ in other legislation.[18]

25.20 In Discussion Paper 72, Review of Australian Privacy Law (DP 72), the ALRC proposed that agencies and organisations should be subject to a single use and disclosure principle.[19] A majority of stakeholders supported this proposal.[20] Reasons for support included that it would:

  • reduce significantly the complexity in privacy regulation;[21]

  • avoid technical legal arguments, and confusion, about whether an action is a use or disclosure and therefore which principle applies;[22] and

  • result in a more workable regime.[23]

25.21 The Cyberspace Law and Policy Centre emphasised that, even with the adoption of a single principle, it is necessary to understand the meaning of the distinct concepts of use and disclosure.[24] The Australian Privacy Foundation expressed the view that the ‘Use and Disclosure’ principle, the definitions or the Explanatory Memorandum to the amending legislation should:

  • confirm that accessing personal information of itself constitutes use; and

  • clarify the circumstances in which passing information outside an organisation remains a use, rather than a disclosure.[25]

25.22 The Cyberspace Law and Policy Centre stated that it would be ‘unwise’ to apply to the private sector the OPC’s interpretation of the distinction between a use and disclosure ‘without further consideration’. It also submitted that the ‘Use and Disclosure’ principle, the definitions or the Explanatory Memorandum to the amending legislation should make it clear that

there can be a disclosure even if the information is not used or acted on by the third party, and that even [if] information [is] already known to the recipient it can be disclosed.[26]

25.23 The Queensland Government stated that it

has not encountered any specific difficulties with use and disclosure being addressed in different principles, nor does it see any pressing reason why they need to be combined. It is noted, however, that, given the exceptions to each general principle—i.e. use for a secondary purpose—are to be identical, combining the two does allow for a more concise statement of the principles.[27]

25.24 Medicare Australia expressed a preference for the retention of separate principles dealing with use and disclosure because this aligns better with its secrecy provisions. It acknowledged, however, the vast support for the contrary view.[28]

ALRC’s view

25.25 The use and disclosure of personal information should be dealt with in one privacy principle, which should apply both to agencies and organisations. This is consistent with the process of consolidating the IPPs and NPPs into a single set of privacy principles, the UPPs.[29]

25.26 Moreover, dealing with use and disclosure in a single principle will reduce the complexity in privacy regulation. It will avoid technical legal arguments about whether an action constitutes a use or disclosure, and therefore reduce confusion about which principle should apply.

25.27 Having the same rules apply to use and disclosure, however, will not conflate the two concepts. It will continue to be necessary for agencies and organisations to understand their meaning. As stated in the OPC’s guidance, a key factor in distinguishing between use and disclosure is whether the entity maintains control over the personal information. It would be inconsistent with the adoption of high-level principles to introduce detailed and prescriptive rules about each of the circumstances in which particular actions will constitute use or disclosure.

25.28 Further, it is unnecessary for the Privacy Act to make it clear that accessing personal information amounts to use. The OPC’s guidance on this issue states expressly that ‘as a general rule, any accessing by an agency of personal information in its control is a “use”’. Similarly, it is unnecessary to clarify legislatively that personal information can be disclosed even if the information is not used or acted on, or is known, by the recipient, as suggested by one stakeholder. A common sense approach to interpreting the act of disclosure focuses on the act done by the disclosing party—that is, the act of releasing personal information from its control. The state of mind or intentions of the recipient cannot negate an act of disclosure, although they may limit the privacy consequences that might ensue.

Recommendation 25-1 The model Unified Privacy Principles should contain a principle called ‘Use and Disclosure’ that sets out the requirements on agencies and organisations in respect of the use and disclosure of personal information for a purpose other than the primary purpose of collection.

[6] See Ibid sch 3, NPP 2 and Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 9. The privacy principles contained in the OECD Guidelines are set out in Ch 1.

[7] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8–11: Advice to Agencies about Using and Disclosing Personal Information (1996), 11–12.

[8] Ibid, 12.

[9] Ibid, 12.

[10] Ibid, 12. The OPC’s guidance also addresses the circumstances when an agency maintains control over personal information. See Ibid, 13.

[11] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–6.

[12] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[13] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Confidential, Submission PR 130, 17 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; I Turnbull, Submission PR 82, 12 January 2007.

[14] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[15] National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007. See also National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[16] Australian Federal Police, Submission PR 186, 9 February 2007; Confidential, Submission PR 143, 24 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; W Caelli, Submission PR 99, 15 January 2007.

[17] Australian Federal Police, Submission PR 186, 9 February 2007.

[18] Australian Government Department of Human Services, Submission PR 136, 19 January 2007.

[19] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 22–1.

[20] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. Another stakeholder stated that it did ‘not oppose’ the proposal: National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007.

[21] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[22] See, eg, Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007.

[23] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[24] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[25] Australian Privacy Foundation, Submission PR 553, 2 January 2008. Another stakeholder expressed a similar view: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[26] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[27] Queensland Government, Submission PR 490, 19 December 2007.

[28] Medicare Australia, Submission PR 534, 21 December 2007.

[29] See Ch 18, Rec 18–2.