Current coverage by IPPs and NPPs

25.4 IPPs 9 to 11 deal with the use and disclosure of personal information by agencies. IPP 9 provides that personal information may be used only for relevant purposes. IPPs 10 and 11, respectively, impose limitations on the use and disclosure of personal information. For organisations, the rules on the use and disclosure of personal information are set out in a single privacy principle, NPP 2.

25.5 NPP 2 prohibits the use and disclosure by an organisation of personal information for a purpose other than the primary purpose of collection (the secondary purpose) except in specified circumstances. The IPPs do not use the language of ‘primary’ and ‘secondary’ purpose. IPP 10 provides that where an agency obtains personal information for a ‘particular purpose’, it cannot use the information for any ‘other purpose’ except in specified circumstances. The concepts underlying NPP 2 and IPP 10, therefore, are substantially similar. IPP 11 simply restricts the disclosure of personal information by agencies except in specified circumstances. It does not refer to the particular purpose for which personal information was collected.

25.6 There are some important similarities between the specified circumstances in the IPPs and NPPs that authorise the use and disclosure of personal information. Each of IPP 10, IPP 11 and NPP 2 permit use and disclosure where:

  • the individual has consented to the use or disclosure;

  • it is required or authorised by or under law; or

  • it is necessary to prevent or lessen a serious and imminent threat to the life or health of an individual.

25.7 The IPPs and NPPs cover common ground in another area. Under the IPPs, use or disclosure is permitted where it is reasonably necessary to enforce the criminal law or a law imposing a pecuniary penalty or protect the public revenue. Under the NPPs, use or disclosure on these grounds is permissible where an organisation reasonably believes that it is reasonably necessary for certain activities by or on behalf of an enforcement body. The test in the IPPs is, therefore, more objective than that in the NPPs.

25.8 There are, however, important differences between the NPPs and IPPs concerning use and disclosure. These differences are discussed fully below. A key difference is that the NPPs contain a greater number of exceptions to the general prohibition against use and disclosure for a secondary purpose than the IPPs. In particular, NPP 2 permits use or disclosure for a secondary purpose:

  • for the safety of an individual, public health and public safety;

  • in the preparation for, or conduct of, court or tribunal proceedings;

  • for direct marketing for non-sensitive information where specified criteria are met;[3]

  • as a necessary part of an organisation’s investigation of suspected unlawful activity or for reporting its concerns to the authorities;

  • where the organisation reasonably believes that the use or disclosure is reasonably necessary for certain specified functions of an enforcement body, including: the investigation of seriously improper conduct or prescribed conduct; enforcement of laws relating to the confiscation of the proceeds of crime; or preparation for, or conduct of, court or tribunal proceedings;

  • of health information for research or statistics relevant to public health and safety where specified criteria are met;

  • by an organisation that provides a health service to an individual of health information about that individual to a person ‘responsible’ for the individual if certain conditions are met; or

  • of genetic information obtained in the course of providing a health service to the individual where specified criteria are met.

25.9 In addition, unlike the IPPs, NPP 2 contains notes that indicate that NPP 2 is not intended to deter organisations from lawfully cooperating with law enforcement agencies and that an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.[4]

25.10 Both the IPPs and NPPs require the use and disclosure of personal information for law enforcement purposes to be recorded.[5]

[3] Direct marketing is dealt with separately in Ch 26. It is the subject of UPP 6, applicable only to organisations.

[4] See Privacy Act 1988 (Cth) sch 3, NPP 2, Notes 1–3.

[5] Ibid sch 3, NPP 2.2; s 14, IPPs 10.2, 11.2.