Interaction with the ‘Use and Disclosure’ principle

31.177 Under the NPPs, an organisation that wants to transfer personal information outside Australia needs to determine whether the disclosure of that information to someone outside Australia will comply with NPP 2 (the Use and Disclosure principle). The organisation then needs to determine whether the transfer will satisfy at least one of the conditions set out under NPP 9. This should continue to be the case under the proposed UPPs in relation to both agencies and organisations.

31.178 In DP 72, the ALRC proposed that both the ‘Use and Disclosure’ principle and the ‘Cross-border Data Flows’ principle should include notes cross-referencing to the other, in relation to cross-border transfers of personal information.[284]

31.179 The majority of stakeholders supported this proposal.[285] The OPC noted that it would assist in clarifying obligations for agencies and organisations.[286] The Australian Privacy Foundation and the Cyberspace Law and Policy Centre noted that the relationship and interaction between the ‘Use and Disclosure’ and the ‘Cross-border Data Flows’ principles needed to be explained more clearly.[287]

31.180 Privacy NSW submitted that the proposal involved circularity, in the sense that each principle referred to the other in defining its scope. It submitted that the ‘Cross-border Data Flows’ principle should be called the ‘Disclosure to Other Countries’ thereby obviating the need for ‘circular considerations’.[288]

31.181 It is preferable that all disclosures of personal information be regulated by the ‘Use and Disclosure’ principle—this allows for consistent treatment of all personal information. The ‘Cross-border Data Flows’ principle is concerned only with the cross-border transfer of that personal information. For this reason, there is no circularity. The notes in the ‘Use and Disclosure’ principle and the ‘Cross-border Data Flows’ principle, cross-referencing to the other in relation to cross-border transfers of personal information, provide greater clarity about the interaction between the two principles.

Recommendation 31–4 A note should be inserted after the:

(a) ‘Use and Disclosure’ principle, cross-referencing to the ‘Cross-border Data Flows’ principle; and

(b) ‘Cross-border Data Flows’ principle, cross-referencing to the ‘Use and Disclosure’ principle.

[284] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 28–5, 28–6.

[285]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[286]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[287] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[288]Privacy NSW, Submission PR 468, 14 December 2007.