Chapter 9

Australian Privacy Principle 6–use or disclosure of personal information

Introduction

9.1 Australian Privacy Principle 6 (APP 6) outlines the circumstances in which entities may use or disclose personal information that has been collected or received.[1]

9.2 The Companion Guide states that from this principle, it is implicit that an entity may use or disclose personal information for the primary purpose that the information was collected for. This personal information can only be used or disclosed for a secondary purpose (a purpose other than the primary purpose), if the individual concerned has consented.[2] However, the Companion Guide explains that in some circumstances, the public interest outweighs individual privacy, and consequently a series of exceptions which allow the use or disclosure of personal information without consent, are provided for in APP 6. The exceptions are based on those which currently exist under National Privacy Principle 2.1, with the addition of some new exceptions. Further, this principle does not apply to the use or disclosure of government related identifiers or personal information for the purposes of direct marketing – use and disclosure for these purposes is covered in separate principles.[3]

Background

9.3 Provisions regarding the use and disclosure of personal information by agencies are contained in Information Privacy Principles (IPPs) 9 to 11. These provide that:

personal information should only be used for a purpose which is relevant to the information (IPP 9);
personal information should only be used for particular purposes for which it was collected unless certain exceptions apply (IPP 10);
personal information should not be disclosed to a person, body or agency other than the individual unless certain exceptions apply (IPP 11).[4]

9.4 National Privacy Principle (NPP) 2 provides for the use and disclosure of personal information by organisations. Under NPP 2 the use and disclosure of personal information for a purpose other than the 'primary purpose' of collection, is prohibited, unless certain exceptions apply.[5]

9.5 The NPPs and IPPs contain some similar exceptions, permitting the use and disclosure of personal information in situations in which:

the individual consents to the use or disclosure;
use or disclosure of the personal information is authorised by or under law;
use or disclosure of the personal information is necessary to lessen or prevent a serious and imminent threat to the life or health of an individual;
use or disclosure is reasonably necessary to enforce certain activities of an enforcement body.[6]

9.6 However, NPP 2 contains a much larger list of exceptions than the IPPs.[7]

9.7 In its review, the ALRC considered, amongst other issues:

the appropriateness of consolidating the use and disclosure provisions in the IPPs and NPPs into a single principle;
the circumstances in which the use and disclosure of personal information for a purpose other than the purpose the information was collected for, should be permitted; and
whether any use or disclosure for a purpose other than the original purpose for which the information was collected, should be recorded.[8]

9.8 The ALRC considered whether use and disclosure provisions should be consolidated into a single principle and came to the view that a single privacy principle should deal with use and disclosure for both agencies and organisations. The ALRC commented that this would reduce the complexity of privacy regulation and avoid technical legal arguments about whether an action constitutes a use or disclosure.[9]

9.9 The ALRC noted that the principles in both the IPPs and NPPs relating to use and disclosure 'adopt a prescriptive approach' and do not contain an overriding qualifier such as permitting disclosure where it is 'reasonable' in the circumstances. Use and disclosure of personal information is permitted for the primary purpose for which it was collected unless an exception authorises this action. The ALRC noted that these exceptions do not require the use or disclosure of personal information – they merely permit the use or disclosure in certain circumstances.[10]

9.10 The ALRC considered the exceptions to the prohibition on use or disclosure and came to the view that the exceptions as they apply to agencies and organisations should be consolidated. In addition, the ALRC commented, in relation to specific exceptions as follows:

use or disclosure for a secondary purpose where there is a requisite connection with the primary purpose of collection, and within the reasonable expectations of the individual–the NPPs include this exception and the ALRC considered that it should also apply to agencies. In relation to sensitive information, the ALRC recommended that the secondary purpose be directly related to the primary purpose. The reasonable expectation test was seen as balancing the loosening of the provisions governing agencies and is unlikely to be particularly onerous;[11]
authorisation of the use or disclosure of personal information in circumstances in which an individual has consented to that use or disclosure–this exception should be included in the use and disclosure principle;[12]
use or disclosure of information in circumstances by agencies and organisations where they have reason to suspect unlawful activity–the ALRC considered this an appropriate exception but that it should only apply if such use or disclosure is a necessary part of the entity's investigation. The ALRC did not think it was necessary to expressly extend the exception to suspected serious misconduct, despite submissions to that effect by some stakeholders, as the OPC's guidance on investigation includes investigation of professional misconduct;[13] and
law enforcement and regulatory purposes–the ALRC support an exception for the use or disclosure of information for a secondary purpose if it is necessary for, or on behalf of, an enforcement body to perform its functions. Rather than the more general exception in IPPs 10 and 11, the ALRC preferred the format of NPP 2.1(h) in this regard as it listed specific functions to which such an exception would apply.[14]

9.11 In relation to the emergency, disaster and threat to life, health or safety exception, currently, personal information can be used and disclosed if it is necessary to lessen or prevent a serious and imminent threat to an individual's life or safety. The NPPs also allow secondary use and disclosure in certain circumstances. The ALRC formed the view that the use and disclosure of personal information should be permitted if an agency or organisation reasonably believes that such a use or disclosure is necessary to lessen or prevent a serious threat to an individual's life, or the health and safety of an individual or the public. The ALRC explained the 'reasonable belief' test was an important safeguard, as an agency or organisation 'will need to have reasonable grounds for its belief that the proposed use or disclosure is essential, and not merely helpful, desirable, or convenient.'[15]

9.12 While an assessment of what constitutes a 'serious threat' would have to consider both the likelihood of harm, and the gravity of the outcome, the ALRC considered it prudent to retain this term. However, the ALRC suggested that the requirement that any threat be 'imminent' be removed, as it focuses on the immediacy of a threat, and in the ALRC's view, agencies and organisations 'should be able to take preventative action to stop a threat from escalating to the point of materialisation.'[16]

9.13 In its submission to the Legal and Constitutional Affairs Committee inquiry, the Australian Privacy Foundation suggested that the exception regarding the use or disclosure of personal information required or authorised by or under law should be restricted by removing the terms 'authorised' and under to remove any subjectivity, and providing a clear definition of what is encompassed by the term 'law'.[17]

9.14 The ALRC expressed the view that there must be provision for an exception which allows the use or disclosure of personal information where it is required or authorised by or under law. The ALRC noted suggestions that this exception should be narrowed, however the ALRC argued that restricting the exception might have 'far-reaching, and possibly unintended, consequences.' The ALRC suggested some important safeguards on this exception, recommending that the Privacy Act be amended to specify what is included by 'law' with regard to this exception, and suggesting that the OPC develop guidelines regarding when an act or practice will be required or authorised under law. Further, the ALRC explained that agencies and organisations must:

...be able to establish the basis upon which they assert their entitlement to rely on the exception. That is, they will still need to be able to identify the law which they assert requires or authorises a particular use or disclosure.^{^[18]}

9.15 While neither the IPPs nor the NPPs provide for the use and disclosure of personal information necessary for the purposes of confidential alternative dispute resolution (ADR) processes, the ALRC recommended that such an exception be included. The current Privacy Act, without such an exception, has the potential to present significant barriers to the resolution of disputes through ADR, which is 'facilitated by the disclosure of all relevant information by the parties to dispute resolution bodies, including personal information about third parties.'[19]

9.16 In providing this recommendation, the ALRC noted that ADR 'potentially could include an extremely broad range of situations.' The ALRC considered that the most appropriate way to limit the scope of the provision would be to provide confidentiality requirements, and the particulars of what constitutes confidentiality requirements would be articulated by guidance formulated by the OPC in consultation with the National Alternative Dispute Resolution Advisory Council.[20]

9.17 The ALRC considered the inclusion of an exception allowing use and disclosure for the establishment, pursuit or defence of legal rights. However, the ALRC came to the conclusion that such an exemption would not practically assist intending litigants in a substantial way, as the exception would permit and not compel the disclosure of information. Further, the ALRC noted that processes via court orders exist for the purposes of obtaining information for the purposes of legal rights, and that these processes are subject to established rules to prevent any abuse by the parties involved, and therefore provide the most appropriate way of accessing required information for these purposes.[21]

9.18 In its report, the ALRC noted the significant issues and competing considerations surrounding the authorisation for the use and disclosure of personal information for the purposes of missing persons investigations. While such disclosures may assist in locating missing persons who want to be located, it was noted that there are circumstances in which the missing person does not wish to be located for personal reasons, or due to fear for their own safety. In light of this, the ALRC noted that creating a general exception regarding missing person investigations could interfere with the privacy of an individual and risk their safety. The ALRC concluded that other means may be used to obtain information to assist missing persons investigations:

Where an agency or organisation has a legitimate reason to search for a missing person, it may be able to avail itself of one of the other exceptions to the general prohibition in the 'Use and Disclosure' principle, or it may seek a public interest determination.^{^[22]}

Recording use or disclosure for a secondary purpose

9.19 The ALRC formed the view that, as is currently the case under IPPs 10 and 11 and NPP 2, agencies and organisations should be required to record any use or disclosure made under the exception regarding law enforcement. The ALRC noted calls from other committees and stakeholders for expanding the requirements regarding the logging of use and disclosures made for purposes other than the primary purpose of collection. However, the ALRC concluded that requiring that each use and disclosure made under an exception be recorded would not be justified and would be hugely impractical, costly and onerous for organisations and agencies.[23]

Government response

9.20 The Government accepted that a use and disclosure principle was necessary and that these requirements should 'be balanced so as to recognise other important public interests that may, on occasion, compete with the public interest of maintaining the individual's privacy'. The Government also agreed that the use and disclosure of personal information should be allowed for a secondary purpose if the individual would reasonably expect their information to be used for the secondary purpose, and the secondary purpose is related to the primary purpose of collection, or in the case of sensitive information, the secondary purpose is directly related to the primary purpose of collection.[24]

9.21 The Government response also indicated that, in addition to the exceptions recommended by the ALRC, it considered that further exceptions were necessary relating to circumstances in which:

the individual consents to the use or disclosure;
unlawful activity or serious misconduct is suspected and the agency or organisation uses or discloses personal information as a necessary part of its own investigation of the matter or in reporting its concerns to relevant persons or authorities;
the use or disclosure is required or authorised by or under law; and
the organisation or agency reasonably believes that the use or disclosure is reasonably necessary for the prevention, investigation, detection or prosecution of breaches of a law by or on behalf of an enforcement body.[25]

9.22 The Government also identified additional exceptions related to matters addressed in other recommendations made by the ALRC in relation to confidential alternative dispute resolution; research purposes; and provision of a health service.

9.23 In agreeing that there should be provision for the use and disclosure of personal information where an agency or organisation reasonably believes it is necessary to lessen or prevent a serious threat to an individual's life, health or safety or public health or public safety, the Government acknowledged the concerns of some stakeholders that the exception was too broad. While the Government agreed with the removal of the term 'imminent', the response suggested that in order to provide an adequate safeguard, an additional requirement that it be unreasonable or impracticable to obtain an individual's consent to such a use or disclosure, be added to the exception.[26]

9.24 The Government indicated its support for an express exception to allow the use or disclosure of information for a missing person investigation. Recognising that there are legitimate reasons why some individuals may not wish to be located, the Government outlined that the exception would only permit, and not compel, the use or disclosure of personal information in these circumstances. Further, the Government stated that any use or disclosure of personal information for this purpose would be subject to binding rules issued by the Privacy Commissioner in a legislative instrument subject to parliamentary scrutiny. The Government suggested that the rules issued by the Privacy Commissioner should be developed in consultation with relevant stakeholders, and should address matters including that uses and disclosures should only be in response to requests from appropriate bodies with recognised authority for investigating reported missing persons; and where it is either unreasonable or impracticable to obtain consent from the individual, any use or disclosure should not go against any known wishes of the individual.[27]

Issues

Structure and terminology

9.25 Various submitters raised concerns about the structure of APP 6 and the terminology used. Professor Graham Greenleaf and Mr Nigel Waters noted that the ALRC's Unified Privacy Principle (UPP) 5 provides a single list of 'conditions' on the use or disclosure of personal information, whereas APP 6 splits the list between APP 6(1) and APP 6(2). They expressed concern that this is misleading, as without making it clear that APP 6(2) actually contains exceptions to providing consent for use and disclosure, the principle:

...implies that consent has a much more prominent role than it does in reality. Having consent as just one of a number of conditions for use and disclosure in a single clause gives a much more realistic impression of the effect of the law.[28]

9.26 The OPC also commented on the structure of APP 6 and suggested that APP 6(1) and (2) be merged into a shorter simpler single provision.[29] Privacy NSW added that, in its view, APP 6 is too complex and will not assist people in understanding how their personal information may be managed. An alternative form of words for the principle was suggested, providing an initial link to APP 5:

If an entity has notified an individual about its intended uses or disclosure of personal information it may carry out those uses or disclosures. If an individual has not agreed to those uses or disclosures, the entity may only use or disclose the information if the following circumstances apply:...[30]

Conclusion

9.27 The committee again notes that general comments in relation to the structure of the APPs have been made in chapter 3.

Use or disclosure–APP 6(1)

9.28 APP 6(1) provides that an entity should only disclose personal information about an individual for the 'primary purpose', being the particular purpose for which it was collected. The personal information can only be used or disclosed for a 'secondary purpose' if the individual agrees to the use or disclosure for that purpose, or if one of the exceptions in APP 6(2) applies. The Office of the Guardian for Children and Young People (GCYP) noted its partial support for this provision.[31]

9.29 The Office of the Information Commissioner, Queensland (OIC), raised concerns that the test allowing the use or disclosure of information is too loose 'as to render the prohibition on secondary use or disclosure meaningless' and went on to state:

Entities have specific areas of operation which are necessarily both broad albeit concentrated in a specific area...All activities conducted in an entity can be related to all other activities...Under APP6 the potential exists for the secondary use or disclosure of any personal information which in the control or possession of an entity irrespective that the primary purpose is widely different.[32]

9.30 The OIC went on to note that privacy legislation in place in Queensland only allows 'use' for a secondary purpose, and that secondary purpose must be directly related to the primary purpose. According to the OIC, it is determined objectively, rather than subjectively. The OIC suggests that this provision be limited in a similar manner to the Queensland legislation.[33]

9.31 A number of submitters, for example, the Australian Institute of Credit Management (AICM), requested clear guidance as to what might constitute a secondary purpose, as this concept does not appear to be defined within the exposure draft. AICM was concerned that without further clarity regarding the concept of a secondary purpose, use or disclosure of personal information which has a deleterious impact on individuals may occur.[34] These concerns were echoed by the Law Institute of Victoria (LIV), which also called for guidance on the terms 'primary purpose' and 'secondary purpose' to assist entities to adequately comply with the principle. The LIV also noted that such guidance is currently lacking under the NPP as well.[35]

9.32 The Australian Bankers' Association (ABA) noted that unlike NPP 2, APP 6(1) refers to the primary purpose of collection as a 'particular purpose', and this could have implications for the financial services industry:

The reference to "a particular purpose" should be clear it encompasses all necessary or naturally related purposes. For example, the particular purpose of processing a loan application should include all of the possible activities and use and disclosures of personal information that are necessary to maintain, service and recover the loan. It should be clarified that all necessary or naturally related purposes are able to be described in this way and are taken to be included in the meaning of "particular purpose"... However, compared with the reference to "particular purpose" in APP 6 subsection 7(1), sub-sections 7(2)(h) and (i) suggest that the wider approach to activities associated with "particular purpose" in the case of financial services might not be available.[36]

9.33 Professor Greenleaf and Mr Waters also suggested changes to the terminology used in this subsection, noting that as an entity may have more than one primary or secondary purpose, the phrases 'a primary purpose' and 'a secondary purpose' should be used in place of 'the primary purpose' and 'the secondary purpose'.[37]

Conclusion

9.34 The committee notes that the definition of the term 'related', provided in the revised Explanatory Memorandum for the Privacy Amendment (Private Sector) Bill 2000, may assist in the interpretation of the term 'secondary purpose'. The Explanatory Memorandum states:

To be "related", the secondary purpose must be something that arises in the context of the primary purpose. For example, a business that collects personal information about its clients may use that information to notify its clients of its change of business address.[38]

9.35 The committee notes that the ALRC took such issues into consideration in its report, and formed the view that it is not necessary to require a direct relationship between the primary and secondary purpose with regard to the use and disclosure of non-sensitive information. In fact, the ALRC noted that such a requirement could prove to be significantly onerous for organisations. The ALRC further noted that the removal of the direct relation requirement for the use of non-sensitive information in relation to agencies would be effectively balanced by the introduction of the reasonable expectations test. In summary, the ALRC explained, the:

...fact that a primary purpose is related to a secondary purpose increases the likelihood that an individual would reasonably expect his or her personal information to be used or disclosed for that secondary purpose.[39]

9.36 The committee notes concerns about ambiguity of the terms 'primary' and 'secondary' purpose and considers that further guidance on the meaning of these terms would be beneficial.

Exceptions–APP 6(2)

9.37 APP 6(2) provides a list of exceptions to APP 6(1), which allow the use or disclosure of personal information without consent. The ABA welcomed the list of exceptions in AAP 6(2) as practical.[40]

Authorised or required by or under Australian law–AAP 6(2)(b)

9.38 Submissions commented on the exception allowing the use or disclosure of personal information where the information is required or authorised by law, or the order of a court or tribunal. Professor Greenleaf and Mr Waters raised concerns that the insertion of the word 'authorised' broadens this exception, and makes its application subjective, as opposed to simply retaining the stricter 'required by law'.[41]

9.39 The Australian Direct Marketing Association and Google argued that the paragraph should be amended to accommodate the requirements of foreign laws, as some companies will be beholden to both Australian law, and the law of other countries in which they carry out business.[42] Google explained:

For example, a foreign country may mandate disclosure of personal information in response to a subpoena issued by a court exercising jurisdiction over the operations of the service provider in that foreign country. It would be inappropriate to place the service provider in jeopardy under Australian law for responding to valid court process in a foreign jurisdiction.[43]

Conclusion

9.40 Similar concerns were taken into consideration in the ALRC's review; however, the ALRC did not deem it appropriate to further restrict this exception. The committee notes that the ALRC recommended certain safeguards pertaining to this exception, including that agencies and organisations must be able to provide the basis on which they claim the exception by naming the law which requires or authorises the use or disclosure.[44] The committee notes that the Government supported the retention of this exception in its response.[45]

9.41 As discussed in previous chapters, the committee notes that the provisions in the current Privacy Act which provide that acts or practices undertaken outside of Australia which are required by 'an applicable law of a foreign country' will not be taken as a breach of privacy, will be replicated in the new Privacy Act.[46]

Serious threat to life, health or safety–APP 6(2)(c)

9.42 Concerns were raised that the exception allowing the use or disclosure of personal information to lessen or prevent a serious threat to the life, health or safety of the public or an individual has been significantly expanded. Professor Greenleaf and Mr Waters noted there is no reference to a requirement for any threat to be 'imminent', and threats to the health and safety of individuals and the public have been added. Further, they argued that the condition that it be 'unreasonable or impracticable to obtain consent' is quite weak, and that it should be replaced with a stronger provision that it be physically or legally impracticable to obtain consent.[47]

9.43 The Australian Medical Association (AMA) also commented on the removal of the word 'imminent', and was concerned to ensure that patient privacy is not breached as a result of this change. The AMA submitted that guidance on what effect the change in wording will have in practice, specifically how the provision differs from the current requirement, and guidance on when it is appropriate for a doctor to disclose a patient's personal information without consent, will be required.[48]

9.44 Qantas raised concerns about the use of the term 'serious' and recommended that the term be removed from throughout the exposure draft, as 'The question of "seriousness" will always be subjective'. Therefore Qantas suggested that the following form of words would be more appropriate for the exception: 'the entity reasonably believes that the use or disclosure will lessen or prevent a threat'.[49]

9.45 While the Health Services Commissioner, Victoria (HSC) broadly supports APP 6 as consistent with the Health Records Act 2001 (Vic), it was noted that APP 6(2)(c)(ii), may limit the ability of an entity to use or disclose personal information of an individual suffering from psychiatric illness. The HSC suggested that the appropriateness of this provision, with regards to health privacy, be considered.[50]

Conclusion

9.46 The committee notes the ALRC's considerations regarding the use of the terms 'imminent' and 'serious'. In particular, the committee observes that the removal of the term 'imminent' simply removes the need to assess the immediacy of the threat. However, the retention of 'serious' ensures that an assessment of the gravity of the potential outcome of a threat is assessed before a use or disclosure is made.[51]

9.47 The committee also observes that the Government noted such concerns in its response to the ALRC report. While the Government agreed with the removal of the term 'imminent', it acknowledged concerns that the removal of the term broadened the exception. To address these concerns, the Government proposed the addition of a requirement that it be 'unreasonable or impracticable' to obtain an individual's consent to a use or disclosure for this purpose.[52] The committee notes that this has been taken into account in the exposure draft.

9.48 The committee notes the concerns of the Health Services Commissioner and suggests that the circumstances of individuals with psychiatric illness be taken into consideration.

Unlawful activity–AAP 6(2)(d)

9.49 The Law Council of Australia and the Australian Direct Marketing Association (ADMA), expressly supported the inclusion of a provision permitting disclosure and use of personal information in circumstances of suspected unlawful activity or misconduct of a serious nature. The Law Council of Australia noted that the absence of such a provision in NPP 2 has caused organisations significant issues to date.[53]

9.50 Various submitters noted concern about the limited application of APP 6(2)(d)(i), and argued that entities should have more discretion regarding disclosures in respect of potential unlawful activity or serious misconduct. The Financial Services Council (FSC) and ABA suggested that entities should also have some discretion to disclose information about any potential unlawful activity or serious misconduct, even if it doesn't directly relate to their own functions or activities.[54]

9.51 In contrast, Professor Greenleaf and Mr Waters argued that this provision is not necessary, and could be used to compile and maintain 'blacklists' simply based on suspicion of wrongdoing, with no requirement that any such listed individuals be afforded natural justice. Should this provision be retained, they suggested that the exception should be conditional on the entity undertaking 'appropriate action', within a reasonable period of time, to prevent the creation of 'blacklists'.[55]

9.52 In its response to these matters, the Department of the Prime Minister and Cabinet (the department) noted that while the use and disclosure of personal information is permitted for any unlawful activity relating to the entity's functions or activities, the use and disclosure of personal information should not be permitted merely for minor breaches of misconduct. The department further commented that these are issues that can be handled internally by the entity without the need to use or disclose an individual's personal information. The department concluded:

Consistent with the ALRC's views, the exception is aimed at internal investigations by an entity about activities within or related to that entity. If an entity believed that there was unlawfulness not related to its own functions and activities, it may be possible to disclose the information under the law enforcement exception in APP 6(2)(e).[56]

Conclusion

9.53 The committee notes concerns about the application of this exception. However, the Government response makes it clear that the inclusion of an exception allowing the use or disclosure of personal information where unlawful activity or serious misconduct is suspected was supported.[57] Further, the department has noted that the intention of the provision is that it will only be applied to the internal investigations of an entity.

Enforcement related activities–AAP 6(2)(e)

9.54 Professor Greenleaf and Mr Waters noted that while they believe this provision is necessary, they are concerned that the exception allowing the use and disclosure of personal information for the enforcement activities of an enforcement body has been expanded, and subsequently weakened.[58]

9.55 The committee observes that the Government supported the inclusion of an exception allowing the use or disclosure of personal information for law enforcement activities in its response to the ALRC report.[59]

Diplomatic or consular functions–APP 6(2)(f)

9.56 Concerns were raised by Professor Greenleaf and Mr Waters regarding the exception allowing the use or disclosure of personal information for an agency's diplomatic or consular functions or activities. They argued that this new 'special pleading' provision allows the diplomatic services to use or disclose personal information based solely on the entity's own 'reasonable belief'. They submitted that 'any case for additional exceptions should be argued rather than simply asserted'.[60]

9.57 The Office of the Victorian Privacy Commissioner (Privacy Victoria) noted that the exceptions provided for in APP 6(2)(f) and (g) relate solely to Commonwealth agencies. Privacy Victoria argued that given the APPs are supposed to be simple and high-level, such express detail reduces the clarity of the APPs and the ability of States and Territories to readily adopt them with little amendment.[61] The committee's comments in relation to agency specific exceptions are canvassed in chapter 3.

Missing person–APP 6(2)(g)

9.58 APP 6(2)(g) provides an exception in relation to the use and disclosure of personal information where it would assist to locate a person who has been reported missing.

9.59 In its submission to the committee, the ALRC noted that the issue of disclosure of personal information regarding missing persons has been dealt with differently in the exposure draft than recommended by the ALRC in its report. The ALRC explained that the matter was canvassed in its Issues Paper, and while some stakeholders supported disclosure of information in such a situation, there was concern among others that a missing person may not wish to be found. Therefore, to 'create a general exception in respect of all missing person investigations risks interfering with the privacy of certain missing individuals and, possibly, endangering their lives'.[62] The ALRC concluded that:

...the privacy principles did not need to be amended expressly to allow agencies and organisations to use or disclose personal information to assist in the investigation of missing persons, given that other proposed principles should facilitate the disclosure of information in appropriate circumstances (e.g. in relation to serious threats to a person’s life, health or safety).[63]

9.60 Given that an exception regarding missing persons has been included in the exposure draft of the APPs, the ALRC emphasised that the Australian Privacy Rules proposed under section 21 of the exposure draft will be important in providing the required constraints relating to the collection and use of personal information to assist in the location of a missing person.[64]

9.61 Professor Greenleaf and Mr Waters also commented on the use of Privacy Rules in relation to this exception and argued that guidelines pertaining to this principle should be included in the APP itself, and not left to regulations.[65]

9.62 The Office of the Guardian for Children and Young People (GCYP) expressed concern that a missing person may not wish to be located for a number of reasons, including for fear for their personal safety. The GCYP argued that APP 6(2)(g)(i) is very broad, and that a 'clear definition and procedure to test validity of an assumption that someone is "missing" is required.'[66]

Conclusion

9.63 The committee observes that the Government provided a detailed explanation in its response to the ALRC's recommendations for its decision to include an exception for the use and disclosure of information to assist in locating missing persons. The Government acknowledged that in some cases a missing person may not wish to be located. For this reason, the Government has noted its intention to have binding rules for the use of this exception issued by the Privacy Commissioner, covering a series of matters, including that any use or disclosure should not go against 'any known wishes' of the individual, that an assessment of whether the use or disclosure will pose a serious threat to the individual be undertaken, and that any use or disclosure of personal information should be limited. The Government has indicated that these rules will be a legislative instrument and will therefore be subject to parliamentary scrutiny.[67]

9.64 The intentions the Government signalled in its response to the ALRC report were implemented in the exposure draft. As explained in the Companion Guide, this exception will only be able to be used in accordance with the rules issued by the Commissioner, as 'it is important that the permission to collect, use or disclose personal information strikes the right balance, ensuring that persons who have intentionally chosen to discontinue contact remain undisturbed'.[68]

9.65 The committee considers that the use of this exception, subject to rules issued by the Australian Information Commissioner, will provide adequate protection for those who do not wish to make contact with the people who are looking for them and, at the same time, assist in those cases where the use and disclosure of personal information is needed to locate genuinely missing people.

Legal or equitable claim and alternative dispute resolution process–APP 6(2)(h) and (i)

9.66 In its submission GCYP requested clarification of the scope of APP 6(2)(h), relating to the use or disclosure of personal information for the purposes of a legal or equitable claim, noting that agencies are already required to provide information to the judiciary in certain circumstances. GCYP went on to state that these legal requirements, in conjunction with the other provisions in APP 6, give sufficient provision for disclosure without the inclusion of this paragraph.[69]

9.67 Professor Greenleaf and Mr Waters further noted that APP 6(2)(h) does not require any assessment of how trivial a 'legal or equitable claim' may be in comparison with the impact that disclosure or use of information for such a claim may have on an individual's privacy.[70]

9.68 The Law Council of Australia noted concern that APP 6(2)(h) and (i) are not broad enough to adequately cover 'all disputes before alternative dispute resolution bodies, tribunals or external dispute resolution schemes'. Consequently, the Law Council suggested that if an entity believes use or disclosure of personal information is reasonably necessary for the purposes of a dispute before any such body, use or disclosure should be allowed under the principle.[71]

9.69 Professor Greenleaf and Mr Waters suggested that the word 'prescribed' be inserted into APP 6(2)(i) to ensure that only genuine alternative dispute resolutions qualify under this exception.[72]

Conclusion

9.70 The committee supports the inclusion of the exceptions for legal or equitable claims and alternative dispute resolution (ADR). The committee considers that guidance from the Australian Information Commissioner will be necessary to clarify the operation of these provisions and, in particular, to address concerns such as those raised by the Law Council of Australia that APP 6(2)(h) and (i) are not broad enough to adequately cover 'all disputes before alternative dispute resolution bodies, tribunals or external dispute resolution schemes'.

9.71 In relation to ADR, the committee notes that the ALRC recommended a confidentiality safeguard to limit the scope of the exception regarding ADR, and given this, the ALRC considered it unnecessary to provide any further stipulation on the ADR process used, noting it could prove problematic, as such a limitation could 'artificially fragment the application of the exceptions'. The ALRC further noted:

...by its very nature, ADR is dynamic and diverse. Provided the confidentiality safeguards outlined above are in place, this diversity should be accommodated. This is best managed by applying the exception to the broad ambit of ADR processes.[73]

9.72 The committee observes that the Government supported the inclusion of an exemption for ADR processes in its response to the ALRC report, and encouraged the development of appropriate guidance by the Privacy Commissioner.[74]

Additional exception

9.73 Qantas argued for an additional exception in relation to emergencies or disasters. Qantas noted that under Part VIA of the current Privacy Act, in the event of a situation declared an emergency or disaster by the Prime Minister, certain personal information is allowed to be collected, used and disclosed, and that this provision is to be replicated in the new Privacy Act. However, Qantas was concerned that some emergency or disaster situations which do not warrant a Prime Ministerial declaration, may still result in significant injuries and it may be considered desirable to release personal information to authorities in such instances. Consequently, Qantas suggested that an exception be included in the legislation, allowing the disclosure or use of personal information if, 'in the reasonable opinion of the entity, it is necessary for or will assist in an appropriate response to an emergency or disaster.'[75]

9.74 The committee notes that following the introduction of Part VIA of the current Privacy Act in 2006, the ALRC observed that stakeholders have indicated that 'most, if not all, of the problems arising from the handling of personal information in emergency situations have been dealt with adequately by the advent of Part VIA.'[76]

9.75 The Companion Guide states that it is expected that Part VIA of the current Privacy Act will be replicated in the new Privacy Act. The committee notes the explanation by the ALRC in its report, which indicated that the provisions in the privacy principles will apply to 'emergencies or other threats to life that are not declared under Pt VIA, or the subject of a TPID' [temporary public interest determination].[77] The committee considers that it appears this is the function of APP 6(2)(c).

Written note of use or disclosure–APP 6(3)

9.76 GCYP noted in-principle support for this section, which requires a written note of the use or disclosure of personal information for enforcement activities permitted under APP 6(2)(e). However, GCYP requested guidance on what constitutes a written note of use or disclosure, and requirements for secure record keeping. GCYP also suggested that the following information should be included in any such note:

if consent was sought

reasons for overriding the client's wishes or for not seeking consent

advice disclosed, received or requested from others

reasons for not agreeing to an information sharing request

what information was collected, disclosed, with whom, and for what purpose

any follow up activity required by the organisation or entity.[78]

9.77 Professor Greenleaf and Mr Waters suggested that the requirement to provide a written note should extend to paragraphs (2)(d), (f) and (g) as well, as they are similar to (2)(e).[79] Privacy NSW went further, and suggested that this requirement be extended to any use or disclosure of personal information for a secondary purpose.[80]

9.78 The department, in responding to these suggestions, noted that the ALRC had found that imposing a general legislative requirement to log use and disclosure is, on balance, untenable. It noted that the sheer volume of use and disclosure of personal information by agencies and organisations on a daily basis would render such a requirement impractical, costly and onerous. However, the ALRC believed there was considerable merit in imposing such a requirement in the special context of law enforcement. Further, while there is an argument that the unlawful activity exception in APP 6(2)(d) is similar to the law enforcement exception, the ALRC noted that this potential overlap made it seem unnecessary for the Privacy Act to require the logging of all use and disclosure under the unlawful activity exception.[81]

Conclusion

9.79 The committee concludes that there is no reason to extend the provisions of APP 6(3) to include other exceptions.

Exceptions–APP 6(5)

9.80 APP 6(5) provides that use and disclosure of government related identifiers and personal information for the purposes of direct marketing are not subject to APP 6. The GCYP noted its support for this provision.[82] However, Professor Greenleaf and Mr Waters argued that this is a significant departure from the ALRC's recommendations, and from the NPPs. They submitted that the direct marketing and government identifier provisions were not designed as 'standalone' principles, as reflected in:

...the ALRC's recommendations (UPPs 5, 6 & 10) and the existing NPPs 2 & 7, which have direct marketing and identifier principles as ‘extra requirements’ applying over and above the normal application of the use and disclosure principle (to the extent that they are compatible).[83]

9.81 This argument was supported by Qantas Airways Limited, and is further examined in chapter 10.[84]

9.82 However, Professor Greenleaf and Mr Waters suggests that if the direct marketing and government identifier provisions are maintained as separate principles, APP 6(5) should provide a clearer link to these separate principles.[85]

Navigation: Previous Page | Contents | Next Page