25.189 The fifth principle in the model UPPs should be called ‘Use and Disclosure’. It may be summarised as follows.
UPP 5. Use and Disclosure
5.1 An agency or organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection (the secondary purpose) unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and
(ii) the individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose;
(b) the individual has consented to the use or disclosure;
(c) the agency or organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to:
(i) an individual’s life, health or safety; or
(ii) public health or public safety;
(d) the agency or organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities;
(e) the use or disclosure is required or authorised by or under law;
(f) the agency or organisation reasonably believes that the use or disclosure is necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal;
(g) the use or disclosure is necessary for research and all of the following conditions are met:
(i) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the use or disclosure;
(ii) a Human Research Ethics Committee that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), as in force from time to time, has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act;
(iii) the information is used or disclosed in accordance with Research Rules issued by the Privacy Commissioner; and
(iv) in the case of disclosure—the agency or organisation reasonably believes that the recipient of the personal information will not disclose the information in a form that would identify the individual or from which the individual would be reasonably identifiable; or
(h) the use or disclosure is necessary for the purpose of a confidential alternative dispute resolution process.
5.2 If an agency or organisation uses or discloses personal information under paragraph 5.1(f) it must make a written note of the use or disclosure.
5.3 UPP 5.1 operates in respect of personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.
Note 1: It is not intended to deter organisations from lawfully cooperating with agencies performing law enforcement functions in the performance of their functions.
Note 2: Subclause 5.1 does not override any existing obligations not to disclose personal information. Nothing in subclause 5.1 requires an agency or organisation to disclose personal information; an agency or organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.
Note 3: Agencies and organisations also are subject to the requirements of the ‘Cross-border Data Flows’ principle when transferring personal information about an individual to a recipient who is outside Australia.