Circumstances in which use and disclosure is permitted

25.29 Compared to some other principles in the Privacy Act, the principles relating to use and disclosure in each of the IPPs and NPPs adopt a prescriptive approach. They do not contain an overriding qualifier, such as permitting use or disclosure where it is ‘reasonable’ in the circumstances.[30]

25.30 The use and disclosure of personal information for the primary purpose for which it was collected is permissible. Other use and disclosure is prohibited unless it falls within the ambit of a specific legislative exception. The exceptions authorise, but do not require, a use or disclosure to be made. A note to NPP 2 provides that the principle

does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.[31]

25.31 The discussion below considers the circumstances that may comprise exceptions to a general prohibition against the use or disclosure of personal information for a purpose other than that for which it was collected.

Related or directly related secondary purpose

25.32 It is possible for agencies and organisations to use personal information, and for organisations to disclose personal information, where the purpose for which the information is to be used or disclosed (the secondary purpose) has the requisite connection with the primary purpose of collection.

25.33 NPP 2.1(a) allows the use or disclosure of personal information for a secondary purpose if the:

  • secondary purpose is related to the primary purpose of collection,[32] or, if the information is ‘sensitive information’, the secondary purpose is directly related to the primary purpose; and

  • individual would reasonably expect the organisation to use the information for the secondary purpose.

25.34 The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector Bill) 2000 justified the imposition of a stricter test in respect of the use and disclosure of sensitive information under the NPPs. It stated that:

The sensitivities associated with the use or disclosure of sensitive information mean that a stronger connection should be demonstrated between the primary purpose for collection and the secondary purpose.[33]

25.35 In contrast, IPP 10.1(e) imposes the stricter test of having to establish, in each case, a direct relation between the purpose of collection and the proposed secondary use of personal information.[34] IPP 10.1(e) does not impose, however, the additional ‘reasonable expectation’ test that is provided in NPP 2.1(a).

25.36 IPP 11 does not contain an equivalent provision to NPP 2 1(a). It allows for disclosure, however, where the individual concerned is reasonably likely to have been aware, or made aware, that information of that kind is usually passed to the entity to which the disclosure is to be made. Under this exception, there is no requirement for an agency to establish any connection between the purpose of collection and the disclosure.

Submissions and consultations

Connection between primary and secondary purpose: direct or indirect?

25.37 In response to IP 31, a number of stakeholders expressed the view that the use and disclosure of personal information by agencies and organisations for a secondary purpose should be allowed only where that purpose is directly related to the primary purpose of collection.[35] Other stakeholders opposed a requirement that there be a ‘direct’ relationship between the purpose of collection and the secondary purpose for which personal information is to be used or disclosed.[36] For example, the Commonwealth Scientific and Industrial Research Organisation (CSIRO) expressed concern that such an amendment ‘would introduce further restrictions on public health research’.[37]

Reasonable expectation of use or disclosure

25.38 In response to IP 31, a number of stakeholders supported extending to agencies the requirement, already applicable to organisations, that the individual concerned would reasonably expect the agency to use or disclose the personal information for the secondary purpose in question.[38]

25.39 For example, the OPC stated that the reasonable expectation requirement is meant to be understood in a common sense way and is not overly onerous. It said that if an entity is unsure of the reasonable expectations of an individual in particular circumstances, it could seek the individual’s consent. It also expressed the view that IPP 10 already includes the concept of reasonable expectation.[39] On the other hand, there was some concern that a ‘reasonable expectation’ requirement is ‘too vague and open to severe abuse’—particularly, by those engaging in data-mining.[40]

25.40 Some stakeholders opposed the ‘reasonable expectations’ test being applied to agencies, stating that the current provisions are adequate.[41] For example, the Department of Families, Community Services and Indigenous Affairs (FaCSIA) submitted that such a requirement would restrict how an agency uses personal information and ‘could ultimately limit the extent to which an agency could assist individuals’. It stated that:

Where information about an individual is collected for the purposes of providing a particular programme, FaCSIA considers it important to retain the discretion to use such information for other reasonable purposes, such as to identify and notify the individual of another programme which the individual may benefit from.[42]

Response to Discussion Paper proposal

25.41 In DP 72, the ALRC proposed that the test in NPP 2.1(a) should apply to agencies and organisations. That is, the ‘Use and Disclosure’ principle should allow an agency or organisation to use or disclose personal information for a purpose other than the primary purpose of collection if the:

  • secondary purpose is related to the primary purpose and, if the personal information is sensitive information, directly related to the purpose of collection; and

  • individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose.[43]

25.42 Most stakeholders supported this proposal.[44] Reasons for support included that the suggested approach:

  • would provide more flexibility in the use of personal information than is currently available to agencies under IPP 10;[45]

  • maintains the necessary level of privacy protection;[46]

  • would introduce an appropriate level of privacy protection concerning disclosures by agencies, given that agencies can currently disclose personal information for any unrelated purpose provided that the individual concerned is informed;[47]

  • has generally proven effective in balancing privacy and operational requirements in how organisations handle personal information;[48] and

  • is a suitable mechanism also for dealing, in an effective manner, with the use and disclosure of personal information by agencies.[49]

25.43 Privacy NSW supported the proposal but suggested that the wording of the principle be simplified along the following lines:

Where personal information is collected for a purpose it may be used/disclosed for a different purpose, only if that second purpose is somehow related to the original purpose, and only if the individual would reasonably expect the organisation or agency to do so.[50]

25.44 Centrelink noted that its customers generally expect it to use their personal information ‘in order to assess their eligibility to the various payments they may claim or transfer between’. It stated:

It is important, therefore, to ensure that the interpretation of … what an individual would reasonably expect … meets the expectations and needs of individuals and allows for efficient business flows.[51]

25.45 The NHMRC supported the proposal, but expressed concerns about its implementation in the context of health care, and health and medical research. It said:

Specifically, there is ongoing confusion about whether an individual’s consent needs to be obtained when a health care provider organisation seeks or is asked to disclose health information to another health care provider organisation for the purposes of ongoing patient care, or whether such disclosure falls within the ‘reasonable expectation’ provisions.[52]

25.46 A small number of stakeholders opposed the proposal[53] or parts of the proposal.[54] The Public Interest Advocacy Centre (PIAC) opposed the proposed test concerning the relationship between the primary and secondary purposes. It stated that:

The requirement of a direct relationship between the secondary and primary purposes should apply for both sensitive and non-sensitive personal information. PIAC sees no reason for adopting the less stringent requirement of ‘related’ when research indicates that most Australians have a high level of concern about use of their personal information for a purpose other than its original purpose.[55]

25.47 The Australian Taxation Office (ATO) stated that, ‘the proposal, if enacted, would represent a significant and problematic narrowing of the use principle for agencies’. It expressed concern that the introduction of a reasonable expectations test would make the use principle difficult to apply.

A principle which requires hypothesising what a particular individual would expect, even what they would reasonably expect is, while better than trying to imagine what that person actually expected, still a difficult test. The individual’s view of what was reasonable for them is likely to differ from that of the agency. Knowledge of the agency’s functions and range of potential uses of information will vary.

The Tax Office does of course inform individuals of anticipated and usual uses of personal information collected about themselves … But uses will arise which we suggest would be reasonably viewed as related, if not directly related, to the original purpose for which the information was collected, even though the individual concerned (perhaps not even the agency itself) could have anticipated them. On the reading of this proposal as it currently stands, we could effectively be prevented from using this information for legitimate and reasonable purposes.[56]

25.48 Finally, some stakeholders supported the OPC developing guidance on the application of the proposed exception.[57] For example, Medicare Australia stated that such guidance would be needed ‘to assist agencies [to] manage any differences of opinion with their customers, given the requirement to make an assessment of what the individual would “reasonably expect”’.[58]

ALRC’s view

Scope of exception

25.49 The exceptions relating to use and disclosure of personal information as they apply to agencies and organisations should be consolidated. The particular exception in the NPPs allowing use or disclosure for a secondary purpose where there is a requisite connection with the primary purpose of collection, and within the reasonable expectations of the individual, also should apply to agencies. As noted above, the exception appears to be operating effectively in the private sector. Extending its application to the public sector is consistent with the general approach of using the NPPs as templates in drafting the UPPs.[59]

25.50 Moreover, adopting a two-pronged test which focuses both on the relationship between the primary and secondary purposes, and the reasonable expectations of an individual, achieves an appropriate level of privacy protection. First, it provides additional protection concerning the use and disclosure of sensitive information, commensurate with the risks associated with the improper use and disclosure of such information. It is not necessary or desirable in respect of non-sensitive information to require a direct relationship between the primary and secondary purposes. The imposition of a stricter test of ‘direct relation’ could be quite onerous for organisations, effectively requiring them to seek consent whenever they wish to use or disclose an individual’s personal information for a purpose that is related to the primary purpose of collection, but not directly so. This scenario is likely to arise frequently where an individual is a customer of a large organisation that handles the individual’s personal information for multiple products or services. There also is a concern that a direct relationship test may hamper legitimate health and other research.[60]

25.51 Further, to the extent that the current principle regulating use of personal information by agencies will be loosened—in that a direct relationship between the primary and secondary purposes no longer will be required for non-sensitive information—it will be balanced by the additional protection offered by the reasonable expectations test. The imposition of a reasonable expectations test is unlikely to be particularly onerous. It does not require an agency or organisation to consult the individual on each proposed secondary use or disclosure. It is arguable, as the OPC submitted, that such a requirement already is implied in IPP 10.1(e). The fact that a primary purpose is related to a secondary purpose increases the likelihood that an individual would reasonably expect his or her personal information to be used or disclosed for that secondary purpose.

25.52 The recommended approach also is preferable to the current principle governing disclosure of personal information by agencies. It is unsatisfactory that an agency can disclose personal information merely on the basis that the individual concerned is reasonably likely to have been aware, or made aware, that information of that kind is usually disclosed to a particular entity. The existing approach, for example, may disadvantage an individual, who is told after the collection of his or her personal information that it will be disclosed to a particular entity even though the proposed disclosure appears to have minimal connection with the reason the information was collected.

Drafting

25.53 The ‘Use and Disclosure’ principle, drafted by the ALRC for inclusion in the model UPPs is intended only as a guide or template. Stakeholder concerns about the drafting of this particular exception—for example, those voiced by Privacy NSW—will be best addressed by the Office of Parliamentary Counsel.[61]

Guidance

25.54 The ALRC anticipates that the OPC will develop and publish general guidance to assist agencies and organisations to comply with the ‘Use and Disclosure’ principle. This will be beneficial, particularly in assisting agencies in their transition to adopting the recommended provisions. The ALRC notes stakeholder support for such an approach. In the absence of a need to nominate any particular area upon which such guidance should focus, it is unnecessary for the ALRC to make a specific recommendation in this regard.

Recommendation 25-2 The ‘Use and Disclosure’ principle should contain an exception permitting an agency or organisation to use or disclose an individual’s personal information for a purpose other than the primary purpose of collection (the secondary purpose), if the:

(a) secondary purpose is related to the primary purpose and, if the personal information is sensitive information, directly related to the primary purpose of collection; and

(b) individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose.

Consent

25.55 The IPPs and NPPs each allow personal information to be used and disclosed if an individual has consented to that use or disclosure.

25.56 In DP 72, the ALRC included in its draft ‘Use and Disclosure’ principle, an exception to the general prohibition on secondary use and disclosure of personal information, in circumstances where an individual has consented to the use and disclosure.[62]. Stakeholders did not express opposition to the retention of this exception. The Cyberspace Law and Policy Centre supported it expressly.[63]

ALRC’s view

25.57 The ‘Use and Disclosure’ principle should contain an exception authorising the use or disclosure of personal information by agencies and organisations where an individual has consented to that use or disclosure.[64]

Emergencies, disasters and threats to life, health or safety

25.58 The IPPs and NPPs each allow personal information to be used and disclosed if it is necessary to lessen or prevent a serious and imminent threat to an individual’s life or health.[65] The NPPs also allow secondary use and disclosure if it is necessary to lessen or prevent a:

  • serious and imminent threat to an individual’s safety; or

  • serious threat to public health or public safety.[66]

25.59 The NPPs, therefore, do not require a threat to public health or public safety to be imminent. This was explained in the Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000, as follows:

There is no requirement that the threat be imminent because a threat to public health or public safety, for example, a possible outbreak of infectious disease, may be serious enough to warrant disclosures of personal information but may not be imminent in terms of time. It may be clear that, unless addressed, the threat will do serious harm to public health or safety but unclear when that harm will actually occur.[67]

25.60 The NPPs also permit secondary use and disclosure of an individual’s genetic information, if the organisation reasonably believes the use or disclosure to a genetic relative of the individual is necessary to lessen or prevent a serious (but not necessarily imminent) threat to the life, health or safety of a genetic relative of the individual.[68]

25.61 There are additional regimes in the Privacy Act to deal with the use and disclosure of personal information in emergencies and disasters. Part VIA of the Act provides a separate regime for the handling of personal information in the event of a declared emergency.[69] Part VIA commenced operation on 7 December 2006.[70] It does not alter the IPPs or NPPs themselves; rather, it displaces some of the requirements in the IPPs and NPPs by providing a separate regime for the collection, use and disclosure of personal information where there is the requisite connection to an emergency that has been the subject of a declaration by the Prime Minister or a minister.

25.62 Finally, the handling of personal information in an emergency or disaster could be the subject of a temporary public interest determination (TPID) made by the Privacy Commissioner under Division 2 of Part VI of the Act.[71]

25.63 This part of the chapter focuses on the operation of the privacy principles in dealing with emergencies or other threats to life that are not declared under Pt VIA, or the subject of a TPID.

Submissions and consultations

25.64 Prior to the release of IP 31, some stakeholders expressed concern about the practical operation of the current principles. The Community Services Ministers’ Advisory Council expressed concern that agencies, in endeavouring to protect individuals’ privacy, can be unwilling to disclose personal information, which, at times, hampers the protection and care of vulnerable people. The Council stated that it was too difficult to establish that a threat to a person’s life or health was both ‘serious and imminent’ in order to justify a disclosure, stating:

Other legislation, such as in the child welfare arena, enables the sharing of information when there is ‘reasonable suspicion’ or concern of abuse and risk. This is a lower threshold, often more appropriate in the case of vulnerable people, and more fitting with the concepts of early intervention and practice.[72]

25.65 In IP 31, the ALRC asked whether agencies and organisations should be permitted expressly to disclose personal information where there is a reasonable belief that disclosure is necessary to prevent a serious and/or imminent threat to any individual’s safety or welfare, or a serious threat to public health, public safety or public welfare; and in times of emergency.[73]

25.66 In response to IP 31, a large number of stakeholders submitted that there should be a dilution of the requirement that a threat be both imminent and serious before personal information can be used or disclosed under the IPPs and NPPs.[74] Reasons for this included that the current provision:

  • operates as a barrier to stop agencies from doing what is necessary to meet ‘a credible threat’;[75]

  • encourages differing interpretations and ‘erring on the side of caution, or non-disclosure, in order to protect perceived agency or professional interests (which does not necessarily support the safety of the individuals concerned)’;[76] and

  • creates a ‘catch 22’ situation because sometimes a proper assessment of whether a threat is serious and imminent can only be made after the relevant person is aware of the personal information in question.[77]

25.67 A number of stakeholders submitted that the test simply should be whether the threat is ‘serious’—that is, the requirement that the threat also be ‘imminent’ should be removed.[78] Reasons for this included that the imminence requirement:

  • creates additional interpretive uncertainty;[79]

  • may fuel escalation of a crisis;[80] and

  • can be difficult to establish because the information about the extent and nature of a threat is held by another party.[81]

25.68 Some stakeholders preferred a different formulation altogether. Some suggested that the exception should apply where the threat is ‘significant’, the definition of which may involve balancing the public interest and privacy implications of disclosure.[82] Others proposed greater specificity in the wording of the exception, enabling disclosure where the person reasonably believes it is necessary to protect a child from abuse or neglect.[83]

25.69 The OPC favoured the retention of the condition that a relevant threat is to be both serious and imminent. It submitted that the advent of Part VIA and the public interest determination provisions adequately address the concerns about sharing information in emergency situations.[84]

25.70 In DP 72, the ALRC proposed that the ‘Use and Disclosure’ principle

should contain an exception permitting an agency or organisation to use or disclose an individual’s personal information for a purpose (the secondary purpose) other than the primary purpose of collection if the agency or organisation reasonably believes that the use or disclosure for the secondary purpose is necessary to lessen or prevent a serious threat to: (a) an individual’s life, health or safety; or (b) public health or public safety.[85]

25.71 In other words, the ALRC proposed:

  • removing the requirement that a threat is to be imminent in order to claim the benefit of this exception for threats to an individual’s life, health or safety; and

  • extending to agencies the ability to use and disclose personal information in situations involving serious threats to: an individual’s safety, public health or public safety.

25.72 The ALRC expressed the preliminary view that an assessment of whether a threat is serious involves consideration of the gravity of the potential outcome as well as its relative likelihood.[86]

25.73 A majority of stakeholders supported this proposal.[87] Reasons for support included that:

  • it would be beneficial for the Department of Defence in satisfying its obligations concerning the health and safety of its personnel;[88]

  • the current requirement that a threat should be imminent is too narrow to be effective because it sets a high bar;[89]

  • the removal of the imminence requirement will achieve greater clarity;[90]

  • it is consistent with confidentiality provisions in social security and family assistance legislation;[91]

  • it would assist the Department of Foreign Affairs and Trade (DFAT) in performing its function of providing consular services in situations involving serious threats which are not the subject of a declared emergency;[92] and

  • it addresses those situations in which an individual at risk is unable to provide consent to the disclosure of his or her personal information, where such disclosure would benefit that individual.[93]

25.74 The AFP supported the proposal, but stated that it did not address adequately investigations to locate missing persons.[94] Some stakeholders supported the removal of the imminence requirement, but preferred the use of a word other than ‘serious’. It also was suggested that any use or disclosure made in good faith for the purpose of protecting an individual’s life, health or safety; or public health or safety, should be permitted regardless of the seriousness of the threat.[95]

25.75 The Office of the Victorian Privacy Commissioner agreed that it is arguable that an assessment of whether a threat is serious

contains within itself an … assessment of the likelihood of a potential negative consequence occurring and the timeframe in which it may occur, together with the extent of damage that would be caused if the consequence eventuated.[96]

25.76 The South Australian Government, however, expressed the view that

removing the word imminent and solely relying on the word ‘serious’ does not fully take into account the ‘likelihood’ of any threat. Therefore, it would seem more appropriate to replace ‘imminent’ with another term that represents likelihood, but without the implied urgency or immediacy of ‘imminent’. For example, ‘likely’, ‘probable’, ‘anticipated’ requires a logical assessment or what may or may not eventuate, and implies a burden of proof. This is consistent with a risk management approach, which generally assesses likelihood as well as consequence.[97]

25.77 A number of stakeholders opposed the removal of the requirement that the relevant threat be imminent.[98] Reasons for this included that:

  • many stakeholder concerns are addressed by the amendments to the Privacy Act to allow secondary use and disclosure of personal information in emergencies that are the subject of a declaration;[99]

  • any broadening of the statutory exception should not be considered until the amendments to the Privacy Act concerning declared emergencies have been tested and found to be deficient;[100]

  • the imminence test is an important source of privacy protection and removing it would lower privacy protection;[101]

  • framing the test solely in terms of a ‘serious threat’ denies individuals the opportunity to exercise an appropriate degree of control over the disclosure of their personal information;[102]

  • a ‘serious threat’ may create ambiguity and be difficult to apply;[103] and

  • ‘serious’ may not be interpreted as implying a consideration of consequence and likelihood, as suggested in DP 72.[104]

25.78 The Cyberspace Law and Policy Centre submitted the removal of the requirement that the threat be imminent ‘would probably be acceptable’ for threats to an individual’s life, health or safety. It stated, however, that it would be ‘very dangerous’ to remove such a requirement in the context of threats to public health or public safety. It said:

The first part of the exception is by definition so limited—it will be necessary to identify specific individuals or small groups to satisfy this test. But if the exception was available for public health and public safety without the ‘imminent’ test, it is difficult to see how claims could not be made under it for a wide range of law enforcement and welfare programmes, including high volume data-matching and data linkage projects. We submit that it was clearly never the intention of Parliament for this exception to provide an alternative basis for such programmes. They should instead have to satisfy one of the other exceptions—typically ‘by or under law’.[105]

25.79 As has been noted above, however, there is currently no requirement that a threat to public health or safety be imminent. This was the express intention of Parliament.[106]

25.80 The OPC expressed concern about authorising the use and disclosure of personal information to address threats to safety. It stated that

retaining ‘safety’ in addition to ‘life or health’ may create scope for uses and disclosures in wider circumstances than originally intended. It may, for instance, be used to justify uses and disclosures for unspecified, or poorly-defined threats.[107]

25.81 The OPC also submitted that if the imminence requirement is removed, the relevant provision should require that where there is a serious threat, the agency or organisation should seek the consent of the individual where reasonably practicable.[108]

ALRC’s view

25.82 Agencies and organisations should be permitted to use and disclose personal information for a purpose other than the primary purpose of collection if they reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety; or public health or safety.

25.83 The current requirement that the requisite threats to an individual be imminent as well as serious sets a disproportionately high bar to the use and disclosure of personal information. This is problematic in circumstances in which there may be compelling policy reasons for the information to be used or disclosed but it is impracticable to seek consent. Agencies and organisations should be able to take preventative action to stop a threat from escalating to the point of materialisation. In order to do so, they may need to use or disclose personal information.

25.84 The requirement that the requisite threats to an individual be imminent, therefore, should be removed. Any analysis of whether a threat is ‘serious’ must involve consideration of the gravity of the potential outcome as well as the relative likelihood. If a threat carries a potentially grave outcome but is highly unlikely to occur, it cannot be considered ‘serious’ in any meaningful sense. The word ‘serious’ cannot be considered in isolation. It must be considered in the context of a ‘serious threat’. The second listed definition of ‘threat’ in the Macquarie Dictionary is ‘an indication of probable evil to come’.[109] This indicates that an assessment of likelihood of harm is implied.

25.85 While the removal of the imminence requirement will not impact on the need to assess whether a threat is likely to eventuate, it will render unnecessary an assessment of when a threat is likely to take place. This is borne out by the definition of ‘imminent’, which focuses on the immediacy of a threat. The Macquarie Dictionary defines ‘imminent’ as ‘likely to occur at any moment; impending’.[110] It defines ‘impending’ as ‘about to happen; imminent’.[111]

25.86 It should be emphasised that there are important safeguards contained in the formulation of the exception recommended by the ALRC. In each case, an agency or organisation will need to form a reasonable belief that the use or disclosure is necessary to lessen or prevent the requisite threat. An agency or organisation, therefore, will need to have reasonable grounds for its belief that the proposed use or disclosure is essential, and not merely helpful, desirable, or convenient.

25.87 There is a strong public interest in averting threats to life, health and safety. To remove the categories of threat relating to an individual’s safety or public safety, as suggested by one stakeholder, would leave a gap in the operation of the principles, and potentially lead to ambiguity in their application. For example, if an individual is facing a serious risk of injury or danger, in the absence of an exception allowing use and disclosure to prevent serious threats to safety, an agency or organisation may take an overly-conservative view that such risks do not constitute either a threat to life or health, and therefore refrain from acting.

Recommendation 25-3 The ‘Use and Disclosure’ principle should contain an exception permitting an agency or organisation to use or disclose an individual’s personal information for a purpose other than the primary purpose of collection (the secondary purpose) if the agency or organisation reasonably believes that the use or disclosure for the secondary purpose is necessary to lessen or prevent a serious threat to: (a) an individual’s life, health or safety; or (b) public health or public safety.

Reason to suspect unlawful activity

25.88 NPP 2.1(f) allows secondary use or disclosure of personal information by an organisation if it

has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities.[112]

25.89 The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 stated that:

This sub-principle explicitly acknowledges that one of an organisation’s legitimate functions is to investigate, and report on, suspected unlawful activity relating to its operations. [113]

25.90 The OPC’s guidance on this exception states that ‘ordinarily but not in all cases, the suspected unlawful activity would relate to the organisation’s operations’.[114] The OPC also has stated that it will be a ‘necessary’ part of an organisation’s investigations where it cannot effectively investigate or report the suspected unlawful activity without using or disclosing the information.[115]

25.91 ‘Investigation’ has been interpreted to include

the internal handling of complaints or allegations regarding professional misconduct, sexual harassment or assault and the reporting of them to the police or another relevant person or authority.[116]

25.92 The IPPs do not contain an equivalent exception.

Submissions and consultations

25.93 In DP 72, the ALRC included in its draft ‘Use and Disclosure’ principle an exception to the general prohibition on secondary use and disclosure of personal information, relating to reasonable suspicion of unlawful activity.[117] This exception was based on the one contained in NPP 2.1(f). In effect, the ALRC proposed extending this exception to the public sector.

25.94 Stakeholders did not express opposition to the proposed extension.[118] The DFAT stated that the proposed exception would ‘assist the Department to pass on information to the relevant authorities where necessary’.[119]

25.95 DFAT and Centrelink each submitted, however, that the exception should be expanded to include investigations of serious misconduct[120]—for example, breaches of the Australian Public Service Code of Conduct.[121] DFAT also submitted that it would

support an interpretation of ‘unlawful activity’ in UPP 5.1(d) as including activities in breach not only of Australian law, but also foreign laws and international law (for example, as set out in international instruments and bilateral agreements to which Australia is a party).[122]

25.96 The OPC suggested that consideration be given to defining more precisely legitimate uses and disclosures for the purpose of investigating alleged unlawful activity. It noted that the ‘relevant persons or authorities’ referred to in the exception are not ‘identified as being explicitly linked to the investigation’, which could lead to overly broad interpretations. The OPC suggested that the exception could refer simply to disclosure necessary for investigations or proceedings concerning the matter. Alternatively, it stated that consideration could be given to including, within the principle, a non-exhaustive list of persons who, and authorities that, would fall within the exception.[123]

ALRC’s view

25.97 The ‘Use and Disclosure’ principle should contain an exception authorising the use or disclosure of personal information by agencies and organisations where they have reason to suspect unlawful activity has been, is being, or may be, engaged in. This exception should apply only if such use or disclosure is a necessary part of an agency’s or organisation’s investigation of the matter or in reporting its concerns to relevant persons or authorities.[124]

25.98 It is unnecessary to expand the scope of this exception to include expressly investigations of serious misconduct. The OPC’s guidance on ‘investigation’ interprets ‘investigation’ to include investigation of professional misconduct. In addition, and more significantly, another exception in the model ‘Use and Disclosure’ principle authorises use and disclosure of personal information if an agency or organisation reasonably believes it is necessary by or on behalf of an enforcement body to prevent, detect, investigate or remedy serious misconduct.[125] This exception is discussed further below.

Required or authorised by or under law

25.99 NPP 2.1(g) and IPPs 10.1(c) and 11.1(d) permit use or disclosure where this is ‘required or authorised by or under law’.[126] The Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 stated that:

The sub-principle [NPP 2.1(g)] is intended to cover situations where a law unambiguously requires or authorises the use or disclosure of personal information. There could be situations where the law requires some actions which, of necessity, involve particular uses or disclosures, but this sort of implied requirement would be conservatively interpreted. The reference to ‘authorised’ encompasses circumstances where the law permits, but does not require, use or disclosure.[127]

25.100 The OPC’s guidance on NPP 2.1(g) provides:

The Privacy Act does not override specific legal obligations relating to use or disclosure of personal information … If an organisation is required by law to use or disclose personal information it has no choice and it must do so. If an organisation is authorised by law to use or disclose personal information it means the organisation can decide whether to do so or not.[128]

25.101 In response to IP 31, the OPC suggested that this exception should be narrowed with respect to the use or disclosure of sensitive information. It submitted that, ‘to avoid a broad reading of this [exception] where sensitive information is at stake, the inclusion of “clearly” or “expressly” authorised could be considered’.[129]

25.102 In DP 72, the ALRC asked the following question:

Should the proposed ‘Use and Disclosure’ principle contain an exception allowing an agency or organisation to use or disclose personal information for a purpose other than the primary purpose of collection where this is ‘required or specifically authorised by or under law’ instead of simply ‘required or authorised by or under law’?[130]

Submissions and consultations

25.103 Stakeholders’ opinions were divided on whether use and disclosure under this limb should be specifically required or authorised by or under law. A number of stakeholders, including privacy advocates and privacy commissioners, supported such an approach.[131] Some stakeholders stated that requiring specific authorisation would promote clarity of approach.[132] For example, GE Money stated:

Organisations receive very many requests for disclosure of information to a wide range of government agencies. Many hours are spent debating with those agencies whether the organisation is currently required to provide the information. Much criticism is directed at organisations for the ‘risk averse’ approach taken to these sorts of considerations. GE considers it appropriate that where third parties require access to information that they are unambiguously empowered to require it before an organisation should provide it.[133]

25.104 PIAC expressed the view that the narrowing of the exception is justified ‘given the high degree of public concern about use of personal information for purposes other than its original purpose’.[134] Privacy NSW stated that in its experience, New South Wales agencies tend to overstate the authority granted by the relevant law.[135]

25.105 A large number of stakeholders opposed a requirement for a use or disclosure to be specifically authorised by or under law.[136] Concerns included that a requirement for ‘specific’ authorisation:

  • is superfluous[137] and unnecessary because: ‘a use or disclosure is either authorised or is not authorised by or under law’;[138] or the current approach strikes an appropriate balance between facilitating the efficient operations of an agency and protecting the privacy of individuals;[139]

  • does not take into account adequately the nature of many federal laws on disclosure;[140]

  • assumes that all of the powers and functions of an agency always will be set out expressly in legislation, when in fact, what is required may be determined by necessary implication;[141]

  • will have the unintended consequence of preventing the release of personal information when a ‘fair reading’ of the law authorises disclosure by implication;[142]

  • may not cater for circumstances in which use or disclosure may be authorised by a contractual duty,[143] duty of care,[144] a statutory duty not to mislead or deceive,[145] or the common law duty of confidentiality;[146] and

  • would necessitate an amendment to existing legislation which was not drafted with such a requirement in mind.[147]

ALRC’s view

25.106 The ‘Use and Disclosure’ principle must contain an exception which allows for the legitimate use and disclosure of personal information if it is required or authorised by or under law. To impose a restriction that may narrow the scope of the exception to express legislative authorisations only is likely to have far-reaching, and possibly unintended, consequences. For example, it may impact negatively on the ability of agencies to fulfil their statutory functions and exercise their powers. It may compromise disclosures which, by necessary implication, parliament intended to be made. Imposing a ‘specific authorisation’ requirement also would likely necessitate a review of current legislation to ensure that, where needed, the use and disclosure of personal information is specifically authorised.

25.107 Promoting clarity of approach was a key factor cited by those stakeholders that supported a requirement for specific authorisation. Increased clarity, however, is likely to be achieved if the ALRC’s recommendations on the ‘required or authorised by or under law’ exception are implemented. As discussed in Chapter 16, the ALRC has recommended that the Privacy Act should be amended to set out what ‘law’ includes for the purpose of the exception.[148] It also has recommended that the OPC should develop and publish guidance to clarify when an act or practice will be required or authorised by or under law.[149]

25.108 Absent a legislative requirement that a use or disclosure for a secondary purpose must be specifically authorised, agencies and organisations must nonetheless be able to establish the basis upon which they assert their entitlement to rely on the exception. That is, they will still need to be able to identify the law which they assert requires or authorises a particular use or disclosure.

25.109 It is unnecessary and undesirable, therefore, for privacy legislation to mandate that a use or disclosure of personal information for a secondary purpose must be specifically authorised by or under law in order to qualify as a permitted exception to the prohibition on such use and disclosure.

Law enforcement and regulatory purposes

25.110 IPPs 10 and 11, respectively, permit agencies to use personal information for a secondary purpose, and to disclose personal information where use or disclosure is ‘reasonably necessary for enforcement of the criminal law, a law imposing a pecuniary penalty, or for the protection of the public revenue’.[150]

25.111 NPP 2.1(h) allows an organisation to use or disclose personal information for a secondary purpose if it

reasonably believes it is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii) the enforcement of laws relating to the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;[151]

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or the implementation of the orders of a court or tribunal.[152]

25.112 The OPC has issued an Information Sheet which provides guidance on this exception.[153] For example, that guidance provides that:

‘Seriously improper conduct’ refers to serious breaches of standards of conduct associated with a person’s duties, powers, authority and responsibilities. It includes corruption, abuse of power, dereliction of duty, breach of obligations that would warrant the taking of enforcement action by an enforcement body or any other seriously reprehensible behaviour.[154]

Submissions and consultations

25.113 In DP 72, the ALRC, based on its use of the NPPs as a template, included in its draft ‘Use and Disclosure’ principle an exception to the general prohibition on secondary use and disclosure of personal information based substantially on the law enforcement exception contained in NPP 2.1(h).[155] This had the effect of consolidating the approach to the law enforcement exception to both the private and public sectors.

25.114 The Cyberspace Law and Policy Centre supported this approach expressly.[156] It also submitted that a note to the exception should state that it ‘requires the active involvement’ of an enforcement body, that is:

it should not be open for an agency or organisation to claim this exception in respect of uses and disclosures which [are] only of prospective interest to an enforcement body.[157]

25.115 One stakeholder expressed concern that the proposed exception may not address adequately the intelligence-gathering functions of agencies and their need to share criminal information and intelligence.[158]

ALRC’s view

25.116 The ‘Use and Disclosure’ principle should contain an exception permitting agencies and organisations to use and disclose personal information for a secondary purpose if they reasonably believe it is necessary for, or on behalf of, an enforcement body to perform one of the functions specified in NPP 2.1(h).

25.117 The law enforcement exception contained in the NPPs is to be preferred to that contained in the IPPs because of its greater scope. It canvasses with greater precision the legitimate areas of law enforcement and regulation that warrant the authorisation of secondary use and disclosure of personal information. It also promotes clarity.

25.118 The law enforcement exception should not be limited to circumstances in which there is an ‘active’ involvement of an enforcement body, as suggested by two stakeholders. Such a provision would be counter-productive, potentially limiting the operation of the law enforcement exception to allowing use and disclosure of personal information to assist law enforcement bodies to undertake existing investigations into offences and breaches of the law. A law enforcement body, however, may not be in a position to prevent, detect or investigate offences or breaches of the law, unless and until certain information, including personal information, is brought to its attention. The exception, therefore, should not be framed in a manner that prejudices the ability of enforcement agencies to initiate investigations in the public interest.

25.119 It is not necessary to amend the law enforcement exception to address specifically the intelligence-gathering functions of agencies. The OPC’s guidance on the use and disclosure principles in the IPPs takes a purposive approach and acknowledges specifically that an agency may need to use and disclose personal information for intelligence-gathering that does not relate to a specific crime. It provides that:

In safeguarding one of the public purposes listed in exceptions 10.1(d) or IPP 11.1(e), it may be reasonably necessary for an agency to use or disclose information about a range of people—even though none of them has yet been directly linked to an unlawful activity.

For example: Investigators may suspect that an particular building is being used in drug trafficking and may think it reasonably necessary for enforcing the criminal law that they gather information about people associated with the building—even though they do not know what part, if any, those people play in the suspected activity.[159]

Research

25.120 NPP 2.1(d) provides that an organisation may use or disclose health information where necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety where:

  • it is impracticable for the organisation to seek the individual’s consent before the use or disclosure;

  • the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under s 95A;[160] and

  • in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information.

25.121 In Chapter 65, the ALRC has recommended expanding the scope of the research exception beyond health and medical research to apply to human research generally.[161] The ALRC has recommended specific conditions upon which use and disclosure necessary for research is to be authorised.[162] The ‘Use and Disclosure’ principle set out at the end of this chapter, therefore, contains the recommended research exception.[163]

Provision of a health service

25.122 NPP 2.4 permits an organisation that provides a health service to an individual to disclose health information about the individual to a person who is responsible for the individual if certain conditions are met. NPPs 2.5 and 2.6 define a person responsible for an individual.[164]

25.123 The ALRC has recommended that NPPs 2.4 to 2.6 should be moved to the new Privacy (Health Information) Regulations.[165] Those provisions, therefore, are not included in the ‘Use and Disclosure’ principle. The ALRC also has recommended that the new regulations should provide that an agency or organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if the individual is incapable of giving consent to the disclosure and all the other circumstances currently set out in NPP 2.4 are met.[166]

Genetic information

25.124 NPP 2.1(ea) contains an exception to the general prohibition on the use and disclosure of personal information for a secondary purpose that authorises the use and disclosure of genetic information obtained in the course of providing a health service to an individual. This is allowed where necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the individual. This exception is discussed in Chapter 63.

25.125 The ALRC has recommended that this specific exception should be moved out of the ‘Use and Disclosure’ principle and be dealt with in the new Privacy (Health Information) Regulations.[167] These regulations are to apply to both agencies and organisations.[168]

Confidential alternative dispute resolution process

25.126 Neither the NPPs or the IPPs contain an exception authorising a secondary use or disclosure of personal information where it is necessary for the purpose of a confidential alternative dispute resolution process. For the reasons discussed in detail in Chapter 44, the ‘Use and Disclosure’ principle should contain such an exception.

[30] Compare the approach taken in NPP 1.4, for example, which requires an organisation to collect personal information about an individual only from that individual, if it is reasonable and practicable to do so.

[31]Privacy Act 1988 (Cth) sch 3, NPP 2.1, Note 2.

[32] The Explanatory Memorandum stated that ‘to be “related”, the secondary purpose must be something that arises in the context of the primary purpose’: Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [341].

[33] Ibid, [342].

[34]Privacy and Personal Information Protection Act 1998 (NSW) s 17(b) also imposes a ‘direct relationship’ test in the context of use of personal information by agencies.

[35] See, eg, Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; AAMI, Submission PR 147, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Insolvency and Trustee Service Australia, Submission PR 123, 15 January 2007.

[36] CSIRO, Submission PR 176, 6 February 2007; ANZ, Submission PR 173, 6 February 2007.

[37] CSIRO, Submission PR 176, 6 February 2007. See also Veda Advantage, Submission PR 163, 31 January 2007.

[38] See, eg, Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[39] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[40] W Caelli, Submission PR 99, 15 January 2007.

[41] Confidential, Submission PR 165, 1 February 2007; AXA, Submission PR 119, 15 January 2007.

[42] Australian Government Department of Families‚ Community Services and Indigenous Affairs, Submission PR 162, 31 January 2007.

[43] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 22–2.

[44] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. Another stakeholder stated that it did ‘not oppose’ the proposal: National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007.

[45] Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[46] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[47] Ibid.

[48]Ibid. Optus expressed a similar view. It stated that the inclusion of a ‘reasonable expectation’ provision has provided ‘useful guidance in many instances during day-to-day operations and decision-making processes within [its] organisation’: Optus, Submission PR 532, 21 December 2007.

[49] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[50] Privacy NSW, Submission PR 468, 14 December 2007. Another stakeholder expressed the view that the terms ‘primary’ and ‘secondary’ purpose are outdated: Smartnet, Submission PR 457, 11 December 2007.

[51] Australian Government Centrelink, Submission PR 555, 21 December 2007.

[52] National Health and Medical Research Council, Submission PR 397, 7 December 2007. The ALRC’s view on these concerns is set out in Ch 63, in the discussion on use and disclosure of health information for primary and secondary purposes.

[53] Australian Taxation Office, Submission PR 515, 21 December 2007.

[54] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[55] Ibid.

[56] Australian Taxation Office, Submission PR 515, 21 December 2007.

[57] Medicare Australia, Submission PR 534, 21 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007. See also Centre for Law and Genetics, Submission PR 497, 20 December 2007.

[58] Medicare Australia, Submission PR 534, 21 December 2007.

[59] See Ch18.

[60] See Part H for a discussion on use and disclosure of personal information for secondary purposes in the health and research contexts; and Part J for a discussion of use and disclosure in the telecommunications context.

[61] See Ch 18.

[62] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), UPP 5.1(b).

[63] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[64] See Ch 19, which discusses the meaning and elements of consent.

[65]Privacy Act 1988 (Cth) s 14, IPPs 10(1)(e), 11(1)(c); sch 3, NPP 2.1(e)(i).

[66] Ibid sch 3, NPP 2.1(e)(i), (ii).

[67] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [356].

[68]Privacy Act 1988 (Cth) sch 3, NPP 2.1(ea). The use and disclosure of genetic information is discussed in Ch 63.

[69] The Part VIA regime is discussed in Ch 44.

[70]Privacy Legislation Amendment (Emergencies and Disasters) Act 2006 (Cth).

[71] Temporary public interest determinations are discussed in Ch 47.

[72] Community Services Ministers’ Advisory Council, Submission PR 47, 28 July 2006.

[73] See Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–7(b), (c).

[74] For eg, two stakeholders submitted that the threat level should be ‘serious or imminent’, as distinct from ‘serious and imminent’: Australian Federal Police, Submission PR 186, 9 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[75] Commonwealth Ombudsman, Submission PR 202, 21 February 2007. See also Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[76] Government of South Australia, Submission PR 187, 12 February 2007.

[77] Ibid.

[78] Ibid; Confidential, Submission PR 143, 24 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[79] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[80] Government of South Australia, Submission PR 187, 12 February 2007.

[81] Ibid. This stakeholder also noted that removing the ‘imminent’ element of the exception would enhance consistency across legislation dealing with privacy, secrecy and confidentiality.

[82] Confidential, Submission PR 130, 17 January 2007. See also Government of South Australia, Submission PR 187, 12 February 2007.

[83] Confidential, Submission PR 214, 27 February 2007. Another stakeholder expressed a similar view: Government of South Australia, Submission PR 187, 12 February 2007.

[84] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[85] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 22–3.

[86] Ibid, [22.61].

[87] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. One stakeholder, which supported the proposal, submitted that the exception should be limited to disclosure to law enforcement agencies and emergency service bodies: Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[88] Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[89] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[90] Ibid.

[91] Australian Government Centrelink, Submission PR 555, 21 December 2007.

[92] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.

[93] Ibid.

[94] Australian Federal Police, Submission PR 545, 24 December 2007. The issue of missing persons is discussed separately below.

[95] Confidential, Submission PR 536, 21 December 2007. Another stakeholder suggested that the relevant threat should be ‘significant’: National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007.

[96] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[97] Government of South Australia, Submission PR 565, 29 January 2008.

[98] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Confidential, Submission PR 535, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also M Lander, Submission PR 451, 7 December 2007.

[99] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[100] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[101] See, eg, Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[102] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[103] Ibid.

[104] Ibid. The OPC submitted that if the imminence requirement is removed, ‘serious’ should be defined to include an assessment of the relative likelihood of the threat eventuating.

[105] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[106] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 143–144.

[107] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[108] Ibid.

[109]Macquarie Dictionary (online ed, 2007), (emphasis added).

[110] Ibid, (emphasis added).

[111] Ibid, (emphasis added).

[112]Privacy Act 1988 (Cth) sch 3, NPP2.1(f).

[113]Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [357].

[114] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 41.

[115] Office of the Federal Privacy Commissioner, Unlawful Activity and Law Enforcement, Information Sheet 7 (2001), 2.

[116] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), 19.

[117] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), UPP 5.1(d).

[118] The Cyberspace Law and Policy Centre supported it expressly: Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[119] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.

[120] Ibid; Australian Government Centrelink, Submission PR 555, 21 December 2007.

[121] Australian Government Centrelink, Submission PR 555, 21 December 2007.

[122] Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008.

[123] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. Office of the Federal Privacy Commissioner, Unlawful Activity and Law Enforcement, Information Sheet 7 (2001) lists the bodies considered by the OPC to fall within the scope of the exception.

[124] The concerns about the precise drafting of the exception and, in particular, whether the exception should contain a non-exhaustive list of relevant persons and authorities that fall within the scope of the exception will best be addressed by the Office of Parliamentary Counsel.

[125] An ‘enforcement body’ is defined in s 6 of the Privacy Act. It includes, for example, the Australian Federal Police, the Integrity Commissioner, and agencies to the extent that they are responsible for administering law relating to the protection of the public revenue.

[126] The meaning of ‘required or authorised by or under law’ is discussed in detail in Ch 16.

[127] Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [336].

[128] Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 41.

[129] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[130] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 22–1.

[131] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; I Graham, Submission PR 427, 9 December 2007.

[132] GE Money Australia, Submission PR 537, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[133] GE Money Australia, Submission PR 537, 21 December 2007.

[134] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[135] Privacy NSW, Submission PR 468, 14 December 2007.

[136] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Federal Police, Submission PR 545, 24 December 2007; Confidential, Submission PR 536, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. See also National Australia Bank, Submission PR 408, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007, which expressed concerns about such an approach. See also Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008 which expressed support for retention of the current approach.

[137] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[138] Telstra Corporation Limited, Submission PR 459, 11 December 2007; Queensland Government, Submission PR 490, 19 December 2007.

[139] Australian Government Centrelink, Submission PR 555, 21 December 2007.

[140] Australian Taxation Office, Submission PR 515, 21 December 2007.

[141] Australian Federal Police, Submission PR 545, 24 December 2007. Similarly, the ATO expressed concern that the requirement will potentially be interpreted narrowly to mean ‘express’ authorisation: Australian Taxation Office, Submission PR 515, 21 December 2007.

[142] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007. See also Australian Taxation Office, Submission PR 515, 21 December 2007, which expressed the similar view that such an approach could ‘compromise disclosures which Parliament clearly intended could be made’.

[143] Australian Collectors Association, Submission PR 505, 20 December 2007. See also Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[144] Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[145] Ibid.

[146] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[147] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; National Australia Bank, Submission PR 408, 7 December 2007.

[148] See Rec 16–1.

[149] See Rec 16–2.

[150]Privacy Act 1988 (Cth) s 14, IPP 10.1(d), IPP 11.1(e). See Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8–11: Advice to Agencies about Using and Disclosing Personal Information (1996), Guidelines 39–41, for the OPC’s interpretation of ‘enforce the criminal law’; ‘enforce a law imposing a pecuniary penalty’ and ‘protect the public revenue’.

[151] IPP 11 does not contain a direct equivalent of this limb. In Privacy Commissioner, Public Interest Determination 3A, 22 August 1991, the Privacy Commissioner allowed the Director of Public Prosecutions ‘to disclose to a relevant authority information in its possession about an individual where that information indicates serious misconduct directly relevant to the performance of a regulated occupation or profession; or of a public service position’.

[152]Privacy Act 1988 (Cth) sch 3, NPP 2.1(h). ‘Enforcement body’ is defined in s 6 of the Privacy Act.

[153] See Office of the Federal Privacy Commissioner, Unlawful Activity and Law Enforcement, Information Sheet 7 (2001).

[154] Ibid, 3.

[155] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), UPP 5.1(f).

[156] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[157] Ibid. Another stakeholder expressed a similar view: Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[158] Confidential, Submission PR 488, 19 December 2007.

[159] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8–11: Advice to Agencies about Using and Disclosing Personal Information (1996), 46.

[160] Section 95A of the Privacy Act allows the Commissioner to approve, for the purposes of the NPPs, guidelines that are issued by the CEO of the National Health and Medical Research Council or a prescribed authority. See discussion in Part H.

[161] See Rec 65–2.

[162] See Rec 65–9.

[163] The discussion supporting the inclusion of this exception is in Ch 65.

[164] These provisions are discussed more fully in Ch 63.

[165] See Rec 63–3.

[166] See Rec 63–3.

[167] See Rec 63–5.

[168] See Rec 63–5.