25.29 Compared to some other principles in the Privacy Act, the principles relating to use and disclosure in each of the IPPs and NPPs adopt a prescriptive approach. They do not contain an overriding qualifier, such as permitting use or disclosure where it is ‘reasonable’ in the circumstances.[30] Show
25.30 The use and disclosure of personal information for the primary purpose for which it was collected is permissible. Other use and disclosure is prohibited unless it falls within the ambit of a specific legislative exception. The exceptions authorise, but do not require, a use or disclosure to be made. A note to NPP 2 provides that the principle
25.31 The discussion below considers the circumstances that may comprise exceptions to a general prohibition against the use or disclosure of personal information for a purpose other than that for which it was collected. Related or directly related secondary purpose25.32 It is possible for agencies and organisations to use personal information, and for organisations to disclose personal information, where the purpose for which the information is to be used or disclosed (the secondary purpose) has the requisite connection with the primary purpose of collection. 25.33 NPP 2.1(a) allows the use or disclosure of personal information for a secondary purpose if the:
25.34 The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector Bill) 2000 justified the imposition of a stricter test in respect of the use and disclosure of sensitive information under the NPPs. It stated that:
25.35 In contrast, IPP 10.1(e) imposes the stricter test of having to establish, in each case, a direct relation between the purpose of collection and the proposed secondary use of personal information.[34] IPP 10.1(e) does not impose, however, the additional ‘reasonable expectation’ test that is provided in NPP 2.1(a). 25.36 IPP 11 does not contain an equivalent provision to NPP 2 1(a). It allows for disclosure, however, where the individual concerned is reasonably likely to have been aware, or made aware, that information of that kind is usually passed to the entity to which the disclosure is to be made. Under this exception, there is no requirement for an agency to establish any connection between the purpose of collection and the disclosure. Submissions and consultationsConnection between primary and secondary purpose: direct or indirect?25.37 In response to IP 31, a number of stakeholders expressed the view that the use and disclosure of personal information by agencies and organisations for a secondary purpose should be allowed only where that purpose is directly related to the primary purpose of collection.[35] Other stakeholders opposed a requirement that there be a ‘direct’ relationship between the purpose of collection and the secondary purpose for which personal information is to be used or disclosed.[36] For example, the Commonwealth Scientific and Industrial Research Organisation (CSIRO) expressed concern that such an amendment ‘would introduce further restrictions on public health research’.[37] Reasonable expectation of use or disclosure25.38 In response to IP 31, a number of stakeholders supported extending to agencies the requirement, already applicable to organisations, that the individual concerned would reasonably expect the agency to use or disclose the personal information for the secondary purpose in question.[38] 25.39 For example, the OPC stated that the reasonable expectation requirement is meant to be understood in a common sense way and is not overly onerous. It said that if an entity is unsure of the reasonable expectations of an individual in particular circumstances, it could seek the individual’s consent. It also expressed the view that IPP 10 already includes the concept of reasonable expectation.[39] On the other hand, there was some concern that a ‘reasonable expectation’ requirement is ‘too vague and open to severe abuse’—particularly, by those engaging in data-mining.[40] 25.40 Some stakeholders opposed the ‘reasonable expectations’ test being applied to agencies, stating that the current provisions are adequate.[41] For example, the Department of Families, Community Services and Indigenous Affairs (FaCSIA) submitted that such a requirement would restrict how an agency uses personal information and ‘could ultimately limit the extent to which an agency could assist individuals’. It stated that:
Response to Discussion Paper proposal25.41 In DP 72, the ALRC proposed that the test in NPP 2.1(a) should apply to agencies and organisations. That is, the ‘Use and Disclosure’ principle should allow an agency or organisation to use or disclose personal information for a purpose other than the primary purpose of collection if the:
25.42 Most stakeholders supported this proposal.[44] Reasons for support included that the suggested approach:
25.43 Privacy NSW supported the proposal but suggested that the wording of the principle be simplified along the following lines:
25.44 Centrelink noted that its customers generally expect it to use their personal information ‘in order to assess their eligibility to the various payments they may claim or transfer between’. It stated:
25.45 The NHMRC supported the proposal, but expressed concerns about its implementation in the context of health care, and health and medical research. It said:
25.46 A small number of stakeholders opposed the proposal[53] or parts of the proposal.[54] The Public Interest Advocacy Centre (PIAC) opposed the proposed test concerning the relationship between the primary and secondary purposes. It stated that:
25.47 The Australian Taxation Office (ATO) stated that, ‘the proposal, if enacted, would represent a significant and problematic narrowing of the use principle for agencies’. It expressed concern that the introduction of a reasonable expectations test would make the use principle difficult to apply.
25.48 Finally, some stakeholders supported the OPC developing guidance on the application of the proposed exception.[57] For example, Medicare Australia stated that such guidance would be needed ‘to assist agencies [to] manage any differences of opinion with their customers, given the requirement to make an assessment of what the individual would “reasonably expect”’.[58] ALRC’s viewScope of exception25.49 The exceptions relating to use and disclosure of personal information as they apply to agencies and organisations should be consolidated. The particular exception in the NPPs allowing use or disclosure for a secondary purpose where there is a requisite connection with the primary purpose of collection, and within the reasonable expectations of the individual, also should apply to agencies. As noted above, the exception appears to be operating effectively in the private sector. Extending its application to the public sector is consistent with the general approach of using the NPPs as templates in drafting the UPPs.[59] 25.50 Moreover, adopting a two-pronged test which focuses both on the relationship between the primary and secondary purposes, and the reasonable expectations of an individual, achieves an appropriate level of privacy protection. First, it provides additional protection concerning the use and disclosure of sensitive information, commensurate with the risks associated with the improper use and disclosure of such information. It is not necessary or desirable in respect of non-sensitive information to require a direct relationship between the primary and secondary purposes. The imposition of a stricter test of ‘direct relation’ could be quite onerous for organisations, effectively requiring them to seek consent whenever they wish to use or disclose an individual’s personal information for a purpose that is related to the primary purpose of collection, but not directly so. This scenario is likely to arise frequently where an individual is a customer of a large organisation that handles the individual’s personal information for multiple products or services. There also is a concern that a direct relationship test may hamper legitimate health and other research.[60] 25.51 Further, to the extent that the current principle regulating use of personal information by agencies will be loosened—in that a direct relationship between the primary and secondary purposes no longer will be required for non-sensitive information—it will be balanced by the additional protection offered by the reasonable expectations test. The imposition of a reasonable expectations test is unlikely to be particularly onerous. It does not require an agency or organisation to consult the individual on each proposed secondary use or disclosure. It is arguable, as the OPC submitted, that such a requirement already is implied in IPP 10.1(e). The fact that a primary purpose is related to a secondary purpose increases the likelihood that an individual would reasonably expect his or her personal information to be used or disclosed for that secondary purpose. 25.52 The recommended approach also is preferable to the current principle governing disclosure of personal information by agencies. It is unsatisfactory that an agency can disclose personal information merely on the basis that the individual concerned is reasonably likely to have been aware, or made aware, that information of that kind is usually disclosed to a particular entity. The existing approach, for example, may disadvantage an individual, who is told after the collection of his or her personal information that it will be disclosed to a particular entity even though the proposed disclosure appears to have minimal connection with the reason the information was collected. Drafting25.53 The ‘Use and Disclosure’ principle, drafted by the ALRC for inclusion in the model UPPs is intended only as a guide or template. Stakeholder concerns about the drafting of this particular exception—for example, those voiced by Privacy NSW—will be best addressed by the Office of Parliamentary Counsel.[61] Guidance25.54 The ALRC anticipates that the OPC will develop and publish general guidance to assist agencies and organisations to comply with the ‘Use and Disclosure’ principle. This will be beneficial, particularly in assisting agencies in their transition to adopting the recommended provisions. The ALRC notes stakeholder support for such an approach. In the absence of a need to nominate any particular area upon which such guidance should focus, it is unnecessary for the ALRC to make a specific recommendation in this regard.
Recommendation 25-2 The ‘Use and Disclosure’ principle should contain an exception permitting an agency or organisation to use or disclose an individual’s personal information for a purpose other than the primary purpose of collection (the secondary purpose), if the: (a) secondary purpose is related to the primary purpose and, if the personal information is sensitive information, directly related to the primary purpose of collection; and (b) individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose. Consent25.55 The IPPs and NPPs each allow personal information to be used and disclosed if an individual has consented to that use or disclosure. 25.56 In DP 72, the ALRC included in its draft ‘Use and Disclosure’ principle, an exception to the general prohibition on secondary use and disclosure of personal information, in circumstances where an individual has consented to the use and disclosure.[62]. Stakeholders did not express opposition to the retention of this exception. The Cyberspace Law and Policy Centre supported it expressly.[63] ALRC’s view25.57 The ‘Use and Disclosure’ principle should contain an exception authorising the use or disclosure of personal information by agencies and organisations where an individual has consented to that use or disclosure.[64] Emergencies, disasters and threats to life, health or safety25.58 The IPPs and NPPs each allow personal information to be used and disclosed if it is necessary to lessen or prevent a serious and imminent threat to an individual’s life or health.[65] The NPPs also allow secondary use and disclosure if it is necessary to lessen or prevent a:
25.59 The NPPs, therefore, do not require a threat to public health or public safety to be imminent. This was explained in the Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000, as follows:
25.60 The NPPs also permit secondary use and disclosure of an individual’s genetic information, if the organisation reasonably believes the use or disclosure to a genetic relative of the individual is necessary to lessen or prevent a serious (but not necessarily imminent) threat to the life, health or safety of a genetic relative of the individual.[68] 25.61 There are additional regimes in the Privacy Act to deal with the use and disclosure of personal information in emergencies and disasters. Part VIA of the Act provides a separate regime for the handling of personal information in the event of a declared emergency.[69] Part VIA commenced operation on 7 December 2006.[70] It does not alter the IPPs or NPPs themselves; rather, it displaces some of the requirements in the IPPs and NPPs by providing a separate regime for the collection, use and disclosure of personal information where there is the requisite connection to an emergency that has been the subject of a declaration by the Prime Minister or a minister. 25.62 Finally, the handling of personal information in an emergency or disaster could be the subject of a temporary public interest determination (TPID) made by the Privacy Commissioner under Division 2 of Part VI of the Act.[71] 25.63 This part of the chapter focuses on the operation of the privacy principles in dealing with emergencies or other threats to life that are not declared under Pt VIA, or the subject of a TPID. Submissions and consultations25.64 Prior to the release of IP 31, some stakeholders expressed concern about the practical operation of the current principles. The Community Services Ministers’ Advisory Council expressed concern that agencies, in endeavouring to protect individuals’ privacy, can be unwilling to disclose personal information, which, at times, hampers the protection and care of vulnerable people. The Council stated that it was too difficult to establish that a threat to a person’s life or health was both ‘serious and imminent’ in order to justify a disclosure, stating:
25.65 In IP 31, the ALRC asked whether agencies and organisations should be permitted expressly to disclose personal information where there is a reasonable belief that disclosure is necessary to prevent a serious and/or imminent threat to any individual’s safety or welfare, or a serious threat to public health, public safety or public welfare; and in times of emergency.[73] 25.66 In response to IP 31, a large number of stakeholders submitted that there should be a dilution of the requirement that a threat be both imminent and serious before personal information can be used or disclosed under the IPPs and NPPs.[74] Reasons for this included that the current provision:
25.67 A number of stakeholders submitted that the test simply should be whether the threat is ‘serious’—that is, the requirement that the threat also be ‘imminent’ should be removed.[78] Reasons for this included that the imminence requirement:
25.68 Some stakeholders preferred a different formulation altogether. Some suggested that the exception should apply where the threat is ‘significant’, the definition of which may involve balancing the public interest and privacy implications of disclosure.[82] Others proposed greater specificity in the wording of the exception, enabling disclosure where the person reasonably believes it is necessary to protect a child from abuse or neglect.[83] 25.69 The OPC favoured the retention of the condition that a relevant threat is to be both serious and imminent. It submitted that the advent of Part VIA and the public interest determination provisions adequately address the concerns about sharing information in emergency situations.[84] 25.70 In DP 72, the ALRC proposed that the ‘Use and Disclosure’ principle
25.71 In other words, the ALRC proposed:
25.72 The ALRC expressed the preliminary view that an assessment of whether a threat is serious involves consideration of the gravity of the potential outcome as well as its relative likelihood.[86] 25.73 A majority of stakeholders supported this proposal.[87] Reasons for support included that:
25.74 The AFP supported the proposal, but stated that it did not address adequately investigations to locate missing persons.[94] Some stakeholders supported the removal of the imminence requirement, but preferred the use of a word other than ‘serious’. It also was suggested that any use or disclosure made in good faith for the purpose of protecting an individual’s life, health or safety; or public health or safety, should be permitted regardless of the seriousness of the threat.[95] 25.75 The Office of the Victorian Privacy Commissioner agreed that it is arguable that an assessment of whether a threat is serious contains within itself an … assessment of the likelihood of a potential negative consequence occurring and the timeframe in which it may occur, together with the extent of damage that would be caused if the consequence eventuated.[96] 25.76 The South Australian Government, however, expressed the view that
25.77 A number of stakeholders opposed the removal of the requirement that the relevant threat be imminent.[98] Reasons for this included that:
25.78 The Cyberspace Law and Policy Centre submitted the removal of the requirement that the threat be imminent ‘would probably be acceptable’ for threats to an individual’s life, health or safety. It stated, however, that it would be ‘very dangerous’ to remove such a requirement in the context of threats to public health or public safety. It said:
25.79 As has been noted above, however, there is currently no requirement that a threat to public health or safety be imminent. This was the express intention of Parliament.[106] 25.80 The OPC expressed concern about authorising the use and disclosure of personal information to address threats to safety. It stated that
25.81 The OPC also submitted that if the imminence requirement is removed, the relevant provision should require that where there is a serious threat, the agency or organisation should seek the consent of the individual where reasonably practicable.[108] ALRC’s view25.82 Agencies and organisations should be permitted to use and disclose personal information for a purpose other than the primary purpose of collection if they reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety; or public health or safety. 25.83 The current requirement that the requisite threats to an individual be imminent as well as serious sets a disproportionately high bar to the use and disclosure of personal information. This is problematic in circumstances in which there may be compelling policy reasons for the information to be used or disclosed but it is impracticable to seek consent. Agencies and organisations should be able to take preventative action to stop a threat from escalating to the point of materialisation. In order to do so, they may need to use or disclose personal information. 25.84 The requirement that the requisite threats to an individual be imminent, therefore, should be removed. Any analysis of whether a threat is ‘serious’ must involve consideration of the gravity of the potential outcome as well as the relative likelihood. If a threat carries a potentially grave outcome but is highly unlikely to occur, it cannot be considered ‘serious’ in any meaningful sense. The word ‘serious’ cannot be considered in isolation. It must be considered in the context of a ‘serious threat’. The second listed definition of ‘threat’ in the Macquarie Dictionary is ‘an indication of probable evil to come’.[109] This indicates that an assessment of likelihood of harm is implied. 25.85 While the removal of the imminence requirement will not impact on the need to assess whether a threat is likely to eventuate, it will render unnecessary an assessment of when a threat is likely to take place. This is borne out by the definition of ‘imminent’, which focuses on the immediacy of a threat. The Macquarie Dictionary defines ‘imminent’ as ‘likely to occur at any moment; impending’.[110] It defines ‘impending’ as ‘about to happen; imminent’.[111] 25.86 It should be emphasised that there are important safeguards contained in the formulation of the exception recommended by the ALRC. In each case, an agency or organisation will need to form a reasonable belief that the use or disclosure is necessary to lessen or prevent the requisite threat. An agency or organisation, therefore, will need to have reasonable grounds for its belief that the proposed use or disclosure is essential, and not merely helpful, desirable, or convenient. 25.87 There is a strong public interest in averting threats to life, health and safety. To remove the categories of threat relating to an individual’s safety or public safety, as suggested by one stakeholder, would leave a gap in the operation of the principles, and potentially lead to ambiguity in their application. For example, if an individual is facing a serious risk of injury or danger, in the absence of an exception allowing use and disclosure to prevent serious threats to safety, an agency or organisation may take an overly-conservative view that such risks do not constitute either a threat to life or health, and therefore refrain from acting.
Recommendation 25-3 The ‘Use and Disclosure’ principle should contain an exception permitting an agency or organisation to use or disclose an individual’s personal information for a purpose other than the primary purpose of collection (the secondary purpose) if the agency or organisation reasonably believes that the use or disclosure for the secondary purpose is necessary to lessen or prevent a serious threat to: (a) an individual’s life, health or safety; or (b) public health or public safety. Reason to suspect unlawful activity25.88 NPP 2.1(f) allows secondary use or disclosure of personal information by an organisation if it
25.89 The Revised Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 stated that:
25.90 The OPC’s guidance on this exception states that ‘ordinarily but not in all cases, the suspected unlawful activity would relate to the organisation’s operations’.[114] The OPC also has stated that it will be a ‘necessary’ part of an organisation’s investigations where it cannot effectively investigate or report the suspected unlawful activity without using or disclosing the information.[115] 25.91 ‘Investigation’ has been interpreted to include
25.92 The IPPs do not contain an equivalent exception. Submissions and consultations25.93 In DP 72, the ALRC included in its draft ‘Use and Disclosure’ principle an exception to the general prohibition on secondary use and disclosure of personal information, relating to reasonable suspicion of unlawful activity.[117] This exception was based on the one contained in NPP 2.1(f). In effect, the ALRC proposed extending this exception to the public sector. 25.94 Stakeholders did not express opposition to the proposed extension.[118] The DFAT stated that the proposed exception would ‘assist the Department to pass on information to the relevant authorities where necessary’.[119] 25.95 DFAT and Centrelink each submitted, however, that the exception should be expanded to include investigations of serious misconduct[120]—for example, breaches of the Australian Public Service Code of Conduct.[121] DFAT also submitted that it would
25.96 The OPC suggested that consideration be given to defining more precisely legitimate uses and disclosures for the purpose of investigating alleged unlawful activity. It noted that the ‘relevant persons or authorities’ referred to in the exception are not ‘identified as being explicitly linked to the investigation’, which could lead to overly broad interpretations. The OPC suggested that the exception could refer simply to disclosure necessary for investigations or proceedings concerning the matter. Alternatively, it stated that consideration could be given to including, within the principle, a non-exhaustive list of persons who, and authorities that, would fall within the exception.[123] ALRC’s view25.97 The ‘Use and Disclosure’ principle should contain an exception authorising the use or disclosure of personal information by agencies and organisations where they have reason to suspect unlawful activity has been, is being, or may be, engaged in. This exception should apply only if such use or disclosure is a necessary part of an agency’s or organisation’s investigation of the matter or in reporting its concerns to relevant persons or authorities.[124] 25.98 It is unnecessary to expand the scope of this exception to include expressly investigations of serious misconduct. The OPC’s guidance on ‘investigation’ interprets ‘investigation’ to include investigation of professional misconduct. In addition, and more significantly, another exception in the model ‘Use and Disclosure’ principle authorises use and disclosure of personal information if an agency or organisation reasonably believes it is necessary by or on behalf of an enforcement body to prevent, detect, investigate or remedy serious misconduct.[125] This exception is discussed further below. Required or authorised by or under law25.99 NPP 2.1(g) and IPPs 10.1(c) and 11.1(d) permit use or disclosure where this is ‘required or authorised by or under law’.[126] The Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 stated that:
25.100 The OPC’s guidance on NPP 2.1(g) provides:
25.101 In response to IP 31, the OPC suggested that this exception should be narrowed with respect to the use or disclosure of sensitive information. It submitted that, ‘to avoid a broad reading of this [exception] where sensitive information is at stake, the inclusion of “clearly” or “expressly” authorised could be considered’.[129] 25.102 In DP 72, the ALRC asked the following question:
Submissions and consultations25.103 Stakeholders’ opinions were divided on whether use and disclosure under this limb should be specifically required or authorised by or under law. A number of stakeholders, including privacy advocates and privacy commissioners, supported such an approach.[131] Some stakeholders stated that requiring specific authorisation would promote clarity of approach.[132] For example, GE Money stated:
25.104 PIAC expressed the view that the narrowing of the exception is justified ‘given the high degree of public concern about use of personal information for purposes other than its original purpose’.[134] Privacy NSW stated that in its experience, New South Wales agencies tend to overstate the authority granted by the relevant law.[135] 25.105 A large number of stakeholders opposed a requirement for a use or disclosure to be specifically authorised by or under law.[136] Concerns included that a requirement for ‘specific’ authorisation:
ALRC’s view25.106 The ‘Use and Disclosure’ principle must contain an exception which allows for the legitimate use and disclosure of personal information if it is required or authorised by or under law. To impose a restriction that may narrow the scope of the exception to express legislative authorisations only is likely to have far-reaching, and possibly unintended, consequences. For example, it may impact negatively on the ability of agencies to fulfil their statutory functions and exercise their powers. It may compromise disclosures which, by necessary implication, parliament intended to be made. Imposing a ‘specific authorisation’ requirement also would likely necessitate a review of current legislation to ensure that, where needed, the use and disclosure of personal information is specifically authorised. 25.107 Promoting clarity of approach was a key factor cited by those stakeholders that supported a requirement for specific authorisation. Increased clarity, however, is likely to be achieved if the ALRC’s recommendations on the ‘required or authorised by or under law’ exception are implemented. As discussed in Chapter 16, the ALRC has recommended that the Privacy Act should be amended to set out what ‘law’ includes for the purpose of the exception.[148] It also has recommended that the OPC should develop and publish guidance to clarify when an act or practice will be required or authorised by or under law.[149] 25.108 Absent a legislative requirement that a use or disclosure for a secondary purpose must be specifically authorised, agencies and organisations must nonetheless be able to establish the basis upon which they assert their entitlement to rely on the exception. That is, they will still need to be able to identify the law which they assert requires or authorises a particular use or disclosure. 25.109 It is unnecessary and undesirable, therefore, for privacy legislation to mandate that a use or disclosure of personal information for a secondary purpose must be specifically authorised by or under law in order to qualify as a permitted exception to the prohibition on such use and disclosure. Law enforcement and regulatory purposes25.110 IPPs 10 and 11, respectively, permit agencies to use personal information for a secondary purpose, and to disclose personal information where use or disclosure is ‘reasonably necessary for enforcement of the criminal law, a law imposing a pecuniary penalty, or for the protection of the public revenue’.[150] 25.111 NPP 2.1(h) allows an organisation to use or disclose personal information for a secondary purpose if it
25.112 The OPC has issued an Information Sheet which provides guidance on this exception.[153] For example, that guidance provides that:
Submissions and consultations25.113 In DP 72, the ALRC, based on its use of the NPPs as a template, included in its draft ‘Use and Disclosure’ principle an exception to the general prohibition on secondary use and disclosure of personal information based substantially on the law enforcement exception contained in NPP 2.1(h).[155] This had the effect of consolidating the approach to the law enforcement exception to both the private and public sectors. 25.114 The Cyberspace Law and Policy Centre supported this approach expressly.[156] It also submitted that a note to the exception should state that it ‘requires the active involvement’ of an enforcement body, that is:
25.115 One stakeholder expressed concern that the proposed exception may not address adequately the intelligence-gathering functions of agencies and their need to share criminal information and intelligence.[158] ALRC’s view25.116 The ‘Use and Disclosure’ principle should contain an exception permitting agencies and organisations to use and disclose personal information for a secondary purpose if they reasonably believe it is necessary for, or on behalf of, an enforcement body to perform one of the functions specified in NPP 2.1(h). 25.117 The law enforcement exception contained in the NPPs is to be preferred to that contained in the IPPs because of its greater scope. It canvasses with greater precision the legitimate areas of law enforcement and regulation that warrant the authorisation of secondary use and disclosure of personal information. It also promotes clarity. 25.118 The law enforcement exception should not be limited to circumstances in which there is an ‘active’ involvement of an enforcement body, as suggested by two stakeholders. Such a provision would be counter-productive, potentially limiting the operation of the law enforcement exception to allowing use and disclosure of personal information to assist law enforcement bodies to undertake existing investigations into offences and breaches of the law. A law enforcement body, however, may not be in a position to prevent, detect or investigate offences or breaches of the law, unless and until certain information, including personal information, is brought to its attention. The exception, therefore, should not be framed in a manner that prejudices the ability of enforcement agencies to initiate investigations in the public interest. 25.119 It is not necessary to amend the law enforcement exception to address specifically the intelligence-gathering functions of agencies. The OPC’s guidance on the use and disclosure principles in the IPPs takes a purposive approach and acknowledges specifically that an agency may need to use and disclose personal information for intelligence-gathering that does not relate to a specific crime. It provides that:
Research25.120 NPP 2.1(d) provides that an organisation may use or disclose health information where necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety where:
25.121 In Chapter 65, the ALRC has recommended expanding the scope of the research exception beyond health and medical research to apply to human research generally.[161] The ALRC has recommended specific conditions upon which use and disclosure necessary for research is to be authorised.[162] The ‘Use and Disclosure’ principle set out at the end of this chapter, therefore, contains the recommended research exception.[163] Provision of a health service25.122 NPP 2.4 permits an organisation that provides a health service to an individual to disclose health information about the individual to a person who is responsible for the individual if certain conditions are met. NPPs 2.5 and 2.6 define a person responsible for an individual.[164] 25.123 The ALRC has recommended that NPPs 2.4 to 2.6 should be moved to the new Privacy (Health Information) Regulations.[165] Those provisions, therefore, are not included in the ‘Use and Disclosure’ principle. The ALRC also has recommended that the new regulations should provide that an agency or organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if the individual is incapable of giving consent to the disclosure and all the other circumstances currently set out in NPP 2.4 are met.[166] Genetic information25.124 NPP 2.1(ea) contains an exception to the general prohibition on the use and disclosure of personal information for a secondary purpose that authorises the use and disclosure of genetic information obtained in the course of providing a health service to an individual. This is allowed where necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the individual. This exception is discussed in Chapter 63. 25.125 The ALRC has recommended that this specific exception should be moved out of the ‘Use and Disclosure’ principle and be dealt with in the new Privacy (Health Information) Regulations.[167] These regulations are to apply to both agencies and organisations.[168] Confidential alternative dispute resolution process25.126 Neither the NPPs or the IPPs contain an exception authorising a secondary use or disclosure of personal information where it is necessary for the purpose of a confidential alternative dispute resolution process. For the reasons discussed in detail in Chapter 44, the ‘Use and Disclosure’ principle should contain such an exception. Page 2
Home / Publications / For Your Information: Australian Privacy Law and Practice (ALRC Report 108) / 25. Use and Disclosure
16.08.2010 |