6. Use, disclosure, and related principles
Graham Greenleaf and Nigel Waters, May 2001; revised by Graham
Greenleaf 21 November 2002, Nigel Waters 18 May 2003.
material added since the date of the class concerning this topic
This Reading Guide covers a number of IPPs and statutory provisions that
deal with aspects of the use of personal information. These controls on use and
disclose fall into the following main categories:
starting point in considering what are the allowed uses of personal information
is the original purpose of collection, referred to variously as 'obtained for a
particular purpose', 'the primary purpose of collection', or the purpose 'for
which it was collected'.
- General conditions for use and disclosure ('finality') - In some
sets of IPPs, there are separate principles for (internal) 'use' and (external)
'disclosure' of information (eg Australian Federal government s14 IPPs 10 and
11), whereas in others they are dealt with under the one principles (eg Hong
Kong DPP 3; Australian private sector NPP 2). This difference is mainly
cosmetic, although there are some significant differences.
- Exceptions to finality - Some of these are general, many are
particular to different jurisdictions. The differences are enormous.
- Application of IPPs to public registers - This differs widely
between jurisdictions, with some imposing the normal IPPs, some imposing none
at all, and some imposing special regimes.
- Data quality - IPPs requiring certain types of 'integrity' or
'quality' of the data at the point of use.
- Rights to object to use - Some sets of IPPs also give individuals
the right to object to certain forms of processing (use) of their personal
information, or prohibit some forms of processing outright.
- Special regimes for higher risk uses / types of data - Examples
include (for some jurisdictions only) data matching practices and the
use of certain identifiers.
- Conditions for disclosure to other jurisdictions are discussed in
Reading Guide 3
- Commonwealth public sector -
- Privacy Act 1988 S14
IPP 10 - Limits on use of personal information: '1. A record-keeper who has
possession or control of a record that contains personal information that was
obtained for a particular purpose shall not use the information for any other
purpose unless: ...'
- Privacy Act 1988 s14
IPP 11 - Limits on disclosure of personal information : '1. A record-keeper
who has possession or control of a record that contains personal information
shall not disclose the information to a person, body or agency (other than the
individual concerned) unless: ...'
- Private sector -
- NSW public sector - Privacy and Personal Information Protection
- Victorian public sector - Information Privacy Act 2000
1 IPP 2 Use and Disclosure - substantially similar to Commonwealth NPP2
- Hong Kong :
3 - Principle 3- use of personal data: "Personal data shall not, without
the prescribed consent of the data subject, be used for any purpose other than-
(a) the purpose for which the data were to be used at the time of the
collection of the data; or (b) a purpose directly related to the purpose
referred to in paragraph(a).
- s2 provides that ' "use", in relation to personal data, includes disclose
or transfer the data'; See B&W p121
All these IPPs embody the key principle (`finality' in EU terms) that uses and
disclosures are prima facie limited by the purposes of collection. If applied
strictly, this is not an `efficiency' measure (in James Rule's terms) from the
point of view of surveillance organisations - it is not in an organisation's
objective interests to have to re-collect information from data subjects when
they could re-use what they have or use their `information capital' for swaps
with other surveillance organisations. 'Finality' principles do place objective
limits on the surveillance capacity of organisations, but their significance
depends on the exceptions to and exemptions from them.
Questions concerning the original purpose of collection:
B&W pg 123-4 set out the following principles:
- How broad an original purpose is allowed? See back to the Reading Guide on
- Can there be more than one distinct original purpose of collection? (Aus.
NPP 1.3(c) refers to notice of 'the purposes for which the information
is collected (emphasis added), but the Commissioner has taken the view that
there will only ever be one primary purpose, with all other purposes being
secondary (Guidelines to the NPPs -
- Can disclosure to others be a purpose of collection?
Examples from the PCO:
IPPs refer to information being disclosed, not records. Disclosures can be
verbal, or by actions (eg allowing another person to read a file).
- Determination of 'the purpose for which the data were to be used at the
time of the collection' (DPP 3) requires an objective test. [The data user may
not have formed or disclosed a purpose at the time of collection (particularly
since notice is only required when there is collection from the subject).]
- 'Purposes' are distinct from processes or activities .
- Purposes can be implied by relationships (vendor/purchaser,
employer/employee etc) whether stated at the time of collection or not.
- If a data subject limits the purposes for which data can be used, then the
purpose of the data user can be no wider than that.
The Victorian Privacy Commissioner has noted that disclosure does not
necessarily mean physical transfer "To disclose is to reveal. Personal
information can be disclosed even though it remains in the possession or
control of its original collector. The act of sending the original or a copy to
another person is not a necessary element of a disclosure, although it will be
a common feature" (
Guidelines Part 1)
In Hong Kong "disclosing" 'includes disclosing information inferred from the
data' (s2). It also of course includes information explicit in the data.
The following discussion is of general relevance, not just to Australia:
This is of considerable practical
importance. If disclosure did not include information already known,
organisations could state that they already knew all and any information a
person had disclosed to them (eg in an application form), when sending out a
'broadcast' to (say) all other credit grantors asking if anyone could confirm
that the information was true. No 'yes' answer would be a disclosure, nor would
UK case of R v Brown  1 AC 543, a case on UK privacy legislation,
held that merely reading personal information is not 'use' of that
of personal information in 'Central Features of Australia's private sector
privacy law'  CyberLRes 2 - note the cases discussed by Gunning; he
concludes that 'disclosure' does not include information already known.
Does 'disclosure' include information already known? in ' Key concepts
undermining the NPPs - A second opinion' (2001) 8 Privacy Law & Policy
Reporter 1 - suggests the opposite conclusion to Gunning, that 'disclose' does
include information already known.
See the following discussion:
if it is not a breach of an IPP to merely access (or read) a person's file, it
can easily be a criminal offence under the 'computer crime' laws of most
of personal information in 'Central Features of Australia's private sector
privacy law'  CyberLRes 2 - He expects that Brown will be followed
Does 'use' include merely looking? in ' Key concepts undermining the NPPs
- A second opinion' (2001) 8 Privacy Law & Policy Reporter 1 - Suggesting
that the Security Principle in IPPs provides a limited remedy for this problem.
- In contrast, the Federal Privacy Commissioner's Plain English
Guidelines to Information Privacy Principles 8-11 (1996) states that 'As a
general rule, any accessing by an agency of personal information in its control
is a "use" ', and this includes 'searching records for any reason'.
- Should R v Brown be followed in Australia or Hong Kong? Part of the
harm that the privacy legislation could be interpreted to seek to remedy is
when others have access to your personal information without justification.
B&W p92 say Brown should not be followed in HK because the long title of
the HK Ordinance says it is 'An Ordinance to protect the privacy of individuals
...' , whereas the UK Data Protection Act did not provide any such indication
of its purpose on which the minority in that case (who referred to the need to
protect privacy) could rely.
- Australia's Privacy Act 1988 has as its long title ' An Act to make
provision to protect the privacy of individuals,..', and further supporting
references to privacy in its
so the reasoning employed by B&W could also be used..
offences will apply not only to third parties outside the agency / organisation
concerned who gain access to personal information, but also to accesses (uses)
by those within the agency/organisation if that use is 'without authority'.
- The Crimes Act 1914 (Cth)
s76B(1) makes it an offence to 'intentionally and without authority obtain
access' to data stored in a Commonwealth computer (etc) .
76D provides for exactly the same offences in relation to data stored on
any other computer, whether in the private sector, or a State Government
agency, provided access is obtained 'by means of a facility operated or
provided by the Commonwealth or by a carrier'.
- In addition, the New South Wales Crimes Act 1900 (NSW)
- 'A person who, without authority or lawful excuse, intentionally obtains
access to a program or data stored in a computer...'. This duplicates the
Commonwealth s76D(1), except there is no need to use a telecommunications
facility. No other State yet has these complementary offences.
For the meaning of 'without authority', see
Gilmour v DPP (Cth) (Supreme Court of New South Wales, 15 December 1995),
where there was amendment of tax files by an ATO employee who had authority to
access the records concerned, but no authority to carry out the particular
computing operation that he did.
There are higher penalties if access is to data which the person knows or ought
reasonably to know relates to a person's 'personal affairs': Commonwealth
ss76B(2)(b) and s76D(2)(b) and NSW s309(3). The NSW provision is wider in
covering privacy of the dead. Courts have treated the personal affairs category
with some seriousness in sentencing offenders.
Raiser v Slodac (1995) ACT Supreme Court, the Respondent, who was employed
at Grade ASO4 in the Australian Taxation Office (ATO), obtained the tax file
numbers and personal details of 30 persons with the same surname as himself,
and personal details of others. He was shortly to retire from the ATO and go
into business by himself. Miles CJ commented, when increasing the sentence,
The average tax payer would, I am sure, be outraged at the prospect
of an officer of the ATO perusing details of the tax payer's personal affairs,
which the taxpayer has disclosed under threat of penalty, other than for a
proper purpose. The outrage may be all the greater if the officer were
motivated by commercial or other "nefarious" purpose, but, in my view, that is
not to the point. In my view, it was wrong for the Magistrate to have regard
to the hypothesis that it was "routine" for an officer like the respondent,
authorised to obtain access to information of a private kind on the computer,
to use that authority at the officer's whim in order to obtain such
information, not for the purposes of the office itself, but for amusement,
edification or any other private purpose.
Privacy Act 1988
s6 provides that 'use, in relation to information, does not
include mere disclosure of the information, but does include the inclusion of
the information in a publication.'
In relation to Commonwealth agencies, the Federal Privacy Commissioner has
considered many situations where an agency passes personal information to an
outside organisation or agency to be a 'use' not a 'disclosure', applying a
test of 'whether or not the agency maintains control over that personal
information'. It seems that outsourcing of processing of personal information
has been dealt with in this way. See Federal Privacy Commissioner 'When is
passing personal information outside an agency a use? in Plain English
Guidelines to Information Privacy Principles 8-11 (1996).
It is questionable whether this interpretation would be upheld by a Court if
challenged, and it would be unwise to simply apply it in the private sector
context without further consideration.
s161 Crimes Ordinance (Cap 200)- 'prohibiting access to computer
with criminal or dishonest intent'
Unauthorized access to computer by telecommunications Telecommunications
Ordinance (Cap 106) - 'prohibiting unauthorized access to computer by
The purpose of collection by a recipient may be different from the purpose for
which the information was held by the discloser. Which purpose governs the
recipient's obligations? The obligations of those who receive personal
information are complex, and derive from a number of sources.
IPPs do not simply say 'those who receive personal information are bound by the
same obligations as the organisation from which they received it'. In fact,
IPPs rarely say anything direct about the obligations of the recipient of
personal information (some exceptions are below). Nor do IPPs require a
disclosing organisation to state the purposes for which information is being
At least two situations must be distinguished:
Where organisation A discloses personal data to organisation
B, why is B bound not to use the data any purposes other than those for which A
held it? One approach is as follows:
- Where an organisation receives information legitimately disclosed
under an IPP:
- The question of how limited are the purposes for which the recipient may
use the information must be considered.
- Where an organisation receives information in breach of an IPP:
- 'Fair collection' principles must be considered in light of whether the
recipient was aware that the information was received in breach of the
- The law of breach of confidence must be considered (see
If this argument does not succeed, it would be
necessary to rely on the law of breach of confidence, assuming the information
was confidential (see 6.2.2 below).
- A holds the information for the purpose for which it collected it, and
cannot disclose the information for any other purpose (unless an exception
- B must collect data by means which are 'lawful' and this implies that B is
collecting the data only for purposes for which it is lawful for A to disclose
the data (whether or not A discloses those purposes). It is more questionable
whether it could be said that B's means were not 'fair', unless B was aware of
A's narrower purposes. [The alternative approach of arguing that B's broader
purposes of collection are not 'lawful purposes' does not seem correct.]
- If B's own purposes of collection are narrower than the purposes for which
A could disclose, B's narrower purposes will apply. If B's purposes are broader
they will not apply.
- If A imposes purposes narrower than those for which it could use the data,
those narrower purposes will apply (eg where a finance company discloses data
to a debt collector.)
See also B&W pgs 124-126 for a broadly similar approach.
The lack of comprehensive coverage of privacy laws in Australia causes
additional complications, so that there is more likelihood of need to refer to
breach of confidence laws. Now that most organisations within Australia (at
least in NSW, Victoria, the ACT and the Northern Territories) are covered by
either the private sector NPPs or a set of public sector IPPs, receiving
personal information will usually be 'collection', and a set of IPPs will apply
to any information they receive. However, not all recipients of disclosed
information are bound by IPPs (eg some small businesses).
Note special provisions for Commonwealth public sector - s14 IPP 10.3.
These offences, discussed above, are important complements to the use and
disclosure IPPs. Third parties who obtain access to personal information
without authority may commit serious criminal offences, even though in some
cases their actions might not breach IPPs.
The law of breach of confidence can the following roles in the above situations
(assuming circumstances of confidence apply and the information is
Reading Guide 4.4.1. Relationships involving obligations of confidence
- A will be in breach of confidence by disclosing for a broader purpose than
the data subject's purpose in disclosing (if the data subject has not disclosed
to A, that is probably fatal);
- Once B is made aware of A's breach of confidence, B is also bound by the
same confidence (ie the same limited purposes of use).
See Reading Guide
Governments and obligations of confidence concerning Johns v Australian
Securities Commission (1993) 178 CLR 408; Marcel v Commissioner of Police
 Ch 225 and Morris v Director of the Serious Fraud Office  3 WLR 1.
IPP 11 does not in itself authorise any disclosures - it merely means that the
exceptions are not breaches of the IPPs.
We can therefore argue:
- Johns may impose a stricter standard than IPP 11 for compulsorily
collected information. (why assume the same exceptions apply - particularly the
revenue protection one?). Some forms of government information sharing may be
illegal though within an IPP 11 exception.
- The majority finding that natural justice normally requires a hearing as
to whether disclosure should occur or on what conditions it should occur (eg no
further disclosure to press) goes well beyond IPP 11 (and in some cases even
beyond a `no disclosure without notice' requirement - the Data-matching Act has
a `no adverse use by recipient without notice' requirement, but that is all).
Moral? - you can't run data matching without natural justice (untested as
Other relevant decisions:
there are more exceptions than substance to 'finality' IPPs, they just become a
legitimating device for extensions of surveillance practices. Are any sets of
IPPs 'more holes than cheese'?
Three types of exceptions have to be considered:
The following discussion
is not exhaustive, but only covers the most common, most general and most
important exceptions. Many specific exemptions for particular agencies are not
mentioned here, and you must check the relevant legislation.
The exceptions discussed below to the use and disclosure principles can be used
to show one thing only: that there is not a breach of an IPP.
- Specific exceptions to use and disclosure provisions.
- More general exemptions from requirements to comply with any or most IPPs,
including use and disclosure principles.
- Contingent exemptions from requirements to comply with IPPs, which can be
lost if an organisation has particular types of collection or use practices
(eg: the Australian `small business' exemption).
The exemptions are not in themselves requirements to disclose (or use)
personal information. Organisations may choose not to disclose information even
if it is not a breach of an IPP to do so (unless some other law compels them to
disclose). This discussion is confined to disclosure as the main area
in which this issue arises - there are relatively few circumstances where it
would arise in the context of internal use, although it technically
applies to both use and disclosure.
Exemptions are not general authorisations to disclose. Furthermore, a
disclosure under an exemption from an IPP breach may still leave the discloser
open to other actions for wrongful disclosure, whether because of some breach
of another statute, or a breach of confidence, or a breach of copyright, or
some other action. If the discloser has an obligation not to disclose which
arises outside privacy laws, no exception to a disclosure IPP can act as a
defence. The same applies to uses which breach other duties.
The NSW Act contains a specific provision making this point clear in relation
to other exemptions from the disclosure principle - s.23(6).
Most IPPs include some allowed extension of use/disclosure for 'related' or
'directly related' purposes.
- Private sector - NPP 2.1(a) : 'unless (a) both of the following
(i) the secondary purpose is related to the primary purpose
of collection and, if the personal information is sensitive information,
directly related to the primary purpose of collection;
(ii) the individual
would reasonably expect the organisation to use or disclose the
information for the secondary purpose; or ...'
- Commonwealth public sector - s14 IPP 10: '(e) the purpose for
which the information is used is directly related to the purpose for which the
information was obtained.'
- NSW public sector -
s17 ' (b) the other purpose for which the information is used is directly
related to the purpose for which the information was collected'
- Victorian public sector - IPP 2.1(a) - identical to Commonwealth
private sector NPP 2.1(a)
NPP/IPP2(1)(a) implies a distinction between 'related' and 'directly related',
so it seems that the allowed secondary purposes need only be indirectly related
to the primary purpose, although the Federal Commissioner says that the
secondary purpose must be something that arises in the context of the
primary purpose (emphasis added) (Guidelines to the NPPs -
2.1(a)). The Victorian Commissioner says it must be "connected or
associated with the primary purpose".
The 'reasonable expectations' test governs secondary use and disclosure by
private sector organizations and Victorian government agencies, and is in
addition to the `related/directly related' test.
It is the 'individual concerned who must have the 'reasonable expectations'.
This might suggest that the level of knowledge of industry practices by the
individual is relevant' although the Federal Commissioner says the test will be
applied "from the point of view of .. an individual with no special knowledge
of the industry or activity", and the Victorian Commissioner agrees "What would
a reasonable person, without special knowledge, reasonably expect". The
Commissioners' views accord with the traditional administrative law concept of
reasonableness set out in the Wednesbury case (Associated Provisional Picture
Houses Ltd. v. Wednesbury Corporation  1 K.B. 223). The Victorian
Commissioner states that it is an objective test, and that "the expectations of
the actual individual involved are a consideration, but they are not
- Direct marketing - What forms of marketing to a company's own
customers are allowed, and which are prohibited?
- Compare the ability of Medibank (a Commonwealth agency) to market
products to its own customers to that of a private health insurance company.
The Hong Kong provision is more
strictly worded than the Australian private sector provisions (see below),
which distinguish 'directly related' from 'related and reasonably expected'. Is
there a significant difference?
3 - Principle 3- use of personal data: "Personal data shall not, without
the prescribed consent of the data subject, be used for any purpose other than-
(a) the purpose for which the data were to be used at the time of the
collection of the data; or (b) a purpose directly related to the
purpose referred to in paragraph(a).
Do the 'reasonable expectations' of the data subject have any affect on what is
'directly related'? (or, for that matter, on what is objectively determined to
be the 'purpose ... of the collection'). B&W p127 consider that, where the
data subject has not been given notice of the purpose of collection, these
reasonable expectations will affect the objective determination of purpose.
HKPCO Case No.: ar9798-12 -'Use of personal data in debt collection' - Even
where there is a directly related purpose, the data disclosed must be limited
- http://www.pco.org.hk/english/casenotes/case_enquiry2.php?id=139 HKPCO
Case No.: 200007292 - ' Whether a social worker is in breach [of PDPO] when
disclosing in court that her client has a mental problem' - PCO considered '
the purposes of collection must have implicitly included the fulfilment of any
legal duty or obligation on the part of the data user towards the courts'.
Perhaps this 'implied inclusion' could also have been treated as 'directly
related'. (In Australia it would be treated as disclosure under the 'according
to law' exception.)
- Private sector - NPP 2.1(c)
- Nigel Waters
Rights of Opposition in 'Adequacy of Australian privacy laws in relation
to the European Union Directive'  CyberLRes 1, concerning the
relationship between NPP 2.1(a) and 2.1(c).
- The EU A29 Working Party (see below) regards NPP 2.1(c) as one of the
deficiencies of the Act, adopting Waters more restrictive interpretation.
- Graham Greenleaf
The direct marketing opt-out provision in 'Private sector privacy: Problems
of interpretation'  CyberLRes 3
The specific provision in NPP 2 for direct marketing is the source of much
confusion. Some see it primarily as an alternative exception to the finality
principle that can allow direct marketing uses (not disclosures) even where
there is clearly no `reasonable expectation' and where, as a result, the
related purpose exception cannot apply. Others focus on its function of
additional constraint on all direct marketing, imposing conditions. It is
perhaps best to see 2.1(c) as an alternative basis for use, but one which
carries with it certain conditions.
The main threshold condition in exception (c) is that it only applies if it is
`impracticable for the organisation to seek the individual's consent before
that particular [direct marketing] use' (2.1(c)(i)). The Commissioner has set
out a number of factors to be considered in deciding on `impracticability', but
concludes that e-mail or SMS marketing can never make this claim. (Guidelines
to the NPPs -
A secondary threshold is whether the individual has already expressed a
preference not to receive direct marketing (2.1(c)(iii)). If he/she has done
so, then the organization must respect that preference and not use the
information for that purpose.
The other conditions apply if the threshold tests are passed and direct
marketing use is allowed. The organization must include specified information
in each communication, including contact details (2.1(c)(v)), and must clearly
offer an `opt-out' opportunity (2.1(c)(iv)), which it must not charge to
As the Commissioner points out in his Guidelines, it is open to organizations
to avoid the specific constraints of exception (c) by relying instead on
exception (b) - consent - but warns that in most cases express consent will be
required (see 6.3.4 below). Some businesses, particularly the direct marketing
specialists, maintain that much of their activity can be carried out without
either express consent or even an opt-out opportunity by relying on the related
purpose exception (a), arguing that most consumers have a `reasonable
expectation' that organizations they have dealt with before will try to sell
them other goods or services. It remains to be seen if litigation in due
course pushes most direct marketing into exceptions (b) and (c), with their
conditions, or allows it to operate relatively unconstrained under exception
It should be noted that one of the EU criticisms of the Australian law is that
it does not provide the unequivocal right of opposition to direct marketing
equivalent to Article 14 of the EU Directive.
s34 requires data users to inform data subjects, the first time they use
particular personal data 'for direct marketing' to (i) inform the data subject
of his/her right to request the data user to cease further use of that data,
and (ii) to cease to use the data if so requested.
This is a very convoluted way of expressing a right to 'opt out' of direct
marketing approaches. But it at least has the merit of clearly applying to all
direct marketing uses, with the issue of compliance with the use and disclosure
principle clearly separate. This is much more like the relevant provision in
the EU Directive (Article 14).
B&W p143 make the point that notice must be given every time a data user
makes use of some new item of personal data for direct marketing (and in their
argument 'use' can merely include looking at the data). In effect, this means
that an opt-out notice would be needed with every contact after data changed.
Alternatively, it could be argued that notice was only needed if the data item
was used to initiate or change the direct marketing, not merely viewed (a
separate use) in the course of direct marketing.
In practice many organisations would simply give the opt-out notice on every
contact, at least if it was written.
always allow data to be used for purposes other than the purpose of collection
with some form of consent of the data subject, but what form suffices differs
The Privacy Act 1988
s6 provides that 'consent means express consent or implied
consent' (repeated in Vic IPA s.3)
consent - The general meaning of 'consent' concerning the knowledge needed for
a valid consent, in areas such as contract law and consumer law needs to be
taken into account. See Jay and Hamilton Data Protection Law and
Practice 2-23 on.
- Commonwealth public sector - s14 IPP 10(a), s14 IPP 11(b): 'the
individual concerned has consented'
- Federal Privacy Commissioner's Plain English Guidelines to Information
Privacy Principles 8-11 (1996) - 'consent ... must be informed and free'.
What justification is there for this as a legal interpretation of the Act?
- Private sector - NPP 2.1(b): 'the individual has consented to the
use or disclosure'. - see the Federal Privacy Commissioner's Draft National
Privacy Principle Guidelines (May 2001) -
3 - Consent and Privacy (This is a more detailed discussion than appears in
the final September 2001 Guidelines)
- IPP 2.1(b) of the Victorian IPA - see also Privacy Victoria's IPP
Guidelines Pt 1 pp 17-20
of the NSW PPIPA - see also Privacy NSW's draft
on Consent and Capacity, April 2003
Free consent - If the provision of a benefit is conditional upon consent being
given to personal information being obtained, is this consent?
'Opting out' - Does consent require some positive affirmation, and cannot
simply be implied from inaction?
DPP 3 requires 'prescribed consent' for data to be used for a different
s2(3) provides that 'prescribed consent' "(a) means the express consent of
the person given voluntarily"; and (b) may be withdrawn in writing.
Express consent must involve a positive act; it cannot include failure to
Informed consent is required, not as a statutory requirement but as part of the
meaning of 'consent'. (see B&W pgs 94-96 noting that consent must be
Consent need not be given in writing (but must be by a positive act, verbal or
physical), but can only be withdrawn in writing.
B& W p129 notes that the data subject's consent for change of use is
required irrespective of the fact that the data was not collected from the data
- Commonwealth public sector - s14 IPP 11 (a): 'the individual
concerned is reasonably likely to have been aware, or made aware under
Principle 2, that information of that kind is usually passed to that person,
body or agency;'
- Exception (a) to IPP 11 allows agencies to (prospectively) define their
own disclosure exceptions by disclosing them at the time of collection.
Agency-defined purpose achieves the same result in IPP 10 [ie no objective
purpose justification - merely a restriction of secret or ex post facto changes
- This exception is unique to the federal public sector - there is no
equivalent in the NPPs for the private sector or in the NSW or Victorian Acts
for their public sectors.
IPP 11(a) assumes some disclosure practices can be so notorious as to not
require specific notice.
Could the disclosure by an agency to outsourcing contractors be justified here?
For Hong Kong, see B&W Chapter 12
- Commonwealth public sector - 's14 IPP 10(b)), s14 IPP 11(c):
'necessary to prevent or lessen a serious and imminent threat to the life or
health of the individual concerned or of another person'
- Private sector - NPP 2.1(e); 'necessary to lessen or prevent: (i) a
serious and imminent threat to an individual's life, health or safety; or (ii)
a serious threat to public health or public safety'
- Victorian public sector - as NPP 2.1(e) but adds `welfare'
- NSW public sector - s.17 IPP 10(1)(c) and s.18 IPP 11(1)(c) -
`'necessary to prevent or lessen a serious and imminent threat to the life or
health of the individual concerned or another person'
See Federal Privacy Commissioner's
English Guidelines to Information Privacy Principles 8-11 (1996) and
Guidelines to the National Privacy Principles - 2.1(g) and Privacy Victoria
Guidelines Part 1
- Commonwealth public sector - s14 IPP 10.1 (c) 'use of the
information for that other purpose is required or authorised by or under law';
s14 IPP 11.1(d) 'the disclosure is required or authorised by or under law'
- Private sector - NPP 2.1(g): 'the use or disclosure is required or
authorised by or under law'.
- The `authorised by or under law' exceptions allows retrospective changes
to use / disclosure, and also allows prospective changes with no requirement of
- This exception is criticised by the EU A29 Working Party (see below)
- NSW public sector - s.25(1) `the agency is lawfully authorized or
required not to comply' or s.25(2) `non-compliance is otherwise permitted (or
is necessarily implied or reasonably contemplated) under an Act or any other
- Victorian public sector - IPP 2.1(f) 'the use or disclosure is
required or authorised by or under law'
When will the common law 'authorise' disclosure? There may be duties of care
requiring disclosure (eg negligent mis-statements), or fiduciary duties.
s58(2) - Authorises disclosures for 'prevention or detection of crime',
'serious improper conduct' and other listed matters.
At this point we only discuss some of the exemptions which are particularly
related to use and disclose of information. Bear in mind that exemptions
discussed below may be exemptions to other IPPs as well as those concerning use
- Commonwealth public sector - s14 IPP 10.1(e) and IPP 10.2; s14 IPP
11.1(e) and IPP 11.2 concerning 'a note of the disclosure'
- Private sector -
- NPP 2.1(f) 'the organisation has reason to suspect that unlawful activity
has been, is being or may be engaged in, and uses or discloses the personal
information as a necessary part of its investigation of the matter or in
reporting its concerns to relevant persons or authorities'
- NPP 2.1 (h) - a broader 'permission to disclose' without breaching the
Privacy Act. ; see also NPP 2.2 re obligation to make 'a written note of
the use or disclosure'.
- The federal Commissioner has published an information sheet specifically
on the application of these exceptions
Sheet 7 - 2001 Unlawful Activity and Law Enforcement
- NSW Public sector - a much broader set of exemptions apply to law
enforcement in the NSW PPIPA. S.23 exempts all agencies from compliance with
various principles in a law enforcement context, while ss.24 & 27
specifically exempt a range of investigative agencies from selected principles,
and s.27 exempts the Police Service, the Police Integrity Commission, the State
Crime Commission and the Independent Commission against Corruption from all the
IPPs. The definition of personal information
also excludes a raft of law enforcement information.
- Victorian public sector - IPP 2.1(e) and (g), using the same words
as the Commonwealth NPPs, except that (g) uses `law enforcement agency' in
place of `enforcement body' - see definitions for the different implications.
The Victorian IPA also contains the same `notation' requirement as the NPPs -
in this case IPP 2.2. The Privacy Victoria IPP Guidelines Part 1 give specific
advice on this requirement to strengthen its role as an accountability device
with hopefully a `limiting' effect
are many exceptions, including:
of the exceptions to finality, as well as the general exemptions from all IPPs,
are among the principle stumbling blocks to Australian privacy laws being
regarded as 'adequate' by the EU:
the Opinion criticises:
- obtaining information from a credit bureau
- cooperative swapping of information in commercial credit bureaus
- a real estate agent obtaining information from a tenancy bureau
- a purchase (or exchange) of a mailing list
- operation of a merchant facility on any credit card
- payment to a carrier for Caller ID to be enabled
The exception to NPP2 where secondary use or disclosure is authorized by or
under law (NPP 2.1(g)) - on the grounds that this is far too broad. The
Committee also contrasts the wording with the wording of the 1999 version of
the NPPs, which said `specifically authorised' as evidence that the exemption
could now allow anything that was not unlawful. Article 7(c) of the EU
Directive uses the term `legal obligation'.
The exemption of `generally available publications' from the definition of
`record' which means that secondary uses of publicly available data is not
regulated. The EU Directive and OECD Guidelines contain no such exemption
The direct marketing exception (NPP 2.1(c)) which only applies to secondary
uses. The Committee points out that if direct marketing is a primary purpose of
collection there is no requirement to offer an `opt-out'.
The absence of any special controls over use and disclosure of most `sensitive
data'- NPP 10 only deals with collection, and NPP 2.4-2.6 deal only with
This critique includes most of the points made
by the EU Committee, and identifies some additional weaknesses (references are
made here to the Commonwealth provisions but in some cases similar issues arise
under the NSW and Victorian Acts):
- While the EU Committee restricts itself to the new private sector law,
Nigel Waters 'Adequacy of Australian privacy laws in relation to the European
Union Directive'  CyberLRes 1, looks at the finality principles applying
to the following sectors:
The consent exception IPP 10.1(a) and 11.1(b) and NPP 2.1(b) does not require
`unambiguous' consent, as does Article 7.1(a) of the Directive
The allowance for use & disclosure for `related purposes' (IPP10.1(e),
NPP2.1(a)) is arguably similar to Articles 6(1)(b) (not incompatible), and
7(b), although the wording of the Australian provisions varies considerably
both between jurisdictions and in some cases between use and disclosure,
leaving considerable scope for generous interpretations of what is a related
The absence of any right of opposition to uses equivalent to Article 14 of the
Directive, except for the direct marketing provision in the private sector
amendments (NPP2.1(c)) and a provision in the NSW Act for suppression of public
register details on safety grounds (ss.57-59)
Weaknesses in relation to `onward transfer' - these are discussed separately in
Reading Guide 3.
The application of IPPs to public registers differs widely between
jurisdictions, with some imposing the normal IPPs (Hong Kong), some imposing
none at all (Australian federal government), and some imposing special regimes
(NZ, Victoria, and NSW to some extent).
The main source of special public register rules in the Asia-Pacific is the New
Zealand legislation - Privacy Act 1993 Part VII, Public Register Personal
are no special provisions for public registers in the Privacy Act 1988
IPP 1 applies to the collection of information for inclusion in record or in a
'generally available publication'.
However, most IPPs and NPPs only apply to 'records', and public registers are
not 'records': Privacy Act 1988 s6: 'generally available publication
means a magazine, book, newspaper or other publication (however published) that
is or will be generally available to members of the public.'; a 'record' (to
which most of the IPPs apply) does not include a generally available
publication. Note that the exclusion only applies to the publicly available
form of public registers, and not to the underlying databases, which remain
subject to the Principles.
NSW included the first public register privacy principles in Australia, but
they are very limited.
- NSW Privacy and Personal Information Protection Act 1998
s4 Definition of "personal information": s4(3) Personal information does
not include any of the following: ... (b) information about an individual that
is contained in a publicly available publication'. The NSW IPPs apply only to
personal information (subject to the other exceptions and exemptions) so they
do not apply to Public Registers.
Part 6: Public Registers sets out a separate set of information privacy
principles for Registers, and codes of practice may also modify those public
register principles (s30(1)). See in particular:
s57. Disclosure of personal information contained in public registers:
an agency 'responsible for keeping a public register must not disclose any
personal information kept in the register unless the agency is satisfied that
it is to be used for a purpose relating to the purpose of the register or the
Act under which the register is kept'. The agency can require a statutory
declaration as to purposes of inquiry.
s58. Suppression of personal information: Under some circumstances, to
protect a person's safety or well-being, an agency may not include, or remove,
personal information from a public register.
- G Greenleaf
new era for public sector privacy in NSW (1999) 5 PLPR 130
Hong Kong does not have special provisions concerning public registers, nor any
special exemptions from the DPPs for them.
- The Victorian IPA takes a complex and sometimes confusing approach to
public registers, which nevertheless represents an innovation in Australian
privacy law. Publicly available information is excluded from the application of
most of the Act, including the IPPs (s.11), but Public sector agencies must
administer public registers `so far as is reasonably practical' by not
contravening the IPPs in relation to them (s16(4)). See Graham Greenleaf
Public registers in
Victoria's privacy Bill still sets the standard (2000) 7 PLPR 21:
Agencies operating public registers are usually under a statutory duty to
provide access to the public. However, this does not mean that access to public
register is for any and all purposes. It would be necessary to interpret the
statute creating the public register to determine the purposes for which access
is provided to the public.
Data users who access the public register would then be collecting personal
information for those statute-defined purposes.
As B&W p128 point out, agencies should advise data users, by notices, of
the purposes for which it is legitimate to use data from a particular
Other DPPs will also apply to the register, such as access and correction
rights, subject to any overriding provisions in the Ordinance governing it.
There seems to be a division within government over the extent to which the
Ordinance applies to public registers:
federal government only has very piecemeal controls over data matching.
- 'Use of data obtained from Land Registry for direct marketing purpose' -
PCO considers it an unresolved question whether (i) Land Registry 'collects'
personal data (in which case it must do so for a purpose (land
administration?); and therefore any different use of the data (eg by a Bank for
marketing) requires consent;
or (ii) Land Registry does not 'collect' but
merely makes it available under a statutory obligation, 'with no particular
limitation as to the purpose for which they may be used'.
Data matching involves wholesale prima facie breaches of IPP 11 - how is it
(See back to Part 3, `Data matching and the creeping Tax File Number`)
See Federal Privacy Commissioner's Plain English Guidelines to Information
Privacy Principles 8-11 (1996) -
Exceptions 10.1(c) and 11.1(d) - required or authorised by law and
10.1(d) and 11.1(e) - law enforcement and revenue protection
G Greenleaf `Data matching in Australia - the facts'
PLPR 114 - This note on the Commonwealth Privacy Commissioners survey of
the extent of data matching by the Commonwealth notes the following:
has quite extensive data matching controls (Privacy Act 1993 Part X), based
on the Australian model but of more general application
B&W pgs 130-137
- It identifies 45 data matching programs, 28 of which were for `case
selection' (ie `to select cases of interest for further action')
- Most data matching by Commonwealth agencies is not regulated by
Matching Program (Assistance and Tax) Act 1990 is the exception. The
Commissioner notes that IPP 11 provides `little restraint' because (i) most
agencies have broad powers to require information and/or disclose it, so one
agency or other meets the `authorised by law' exception; and (ii) even if they
have no powers, agencies can `bootstrap' themselves by simply informing
individuals at time of collection that disclosure will occur (
11 exception (a)); (iii) some agencies have also tried to argue the law
enforcement/public revenue exception applies to mass disclosures without any
knowledge of the individual case to support it being `reasonably necessary' -
this remains untested.
- The Commissioner has no power to regulate such data matching (let alone
stop it) - once an exception applies, he cannot impose conditions [contra his
granting an exception under the PID procedure] . He issued `voluntary data
matching guidelines' in 1992, but they have been rejected or ignored by most
agencies (eg only 2 had actually prepared program protocols).
was as at 1996. Since then, compliance has been patchy. As at July 2000, 7
agencies had agreed to follow the voluntary guidelines and another 5 to do so
if and when they undertake matching. (Privacy Commissioner Annual Report
1999-2000, Appendix 6. The Commissioner has reviewed some of the matching
programs subject to the voluntary guidelines - particularly those undertaken by
Centrelink, but detailed findings of these reviews are not publicly available.]
- The first Commissioner recommended legislation making data matching
guidelines mandatory, with specific guidelines being issued for each
data matching scheme. This call was endorsed by a Parliamentary Committee in
the mid 1990's, but the government has not responded and the issue does not
appear to have been followed up by the successor Commissioners. [Comment: While
this is a good idea in terms of procedural fairness, the Commissioner did not
propose any means of controlling which data matching schemes are to be allowed
at all - a classic `efficiency' approach.]
Requirements that personal data must be 'accurate' or 'relevant' before it is
used are a form of restriction of use which are found in most sets of IPPs.
- Roger Clarke's extensive resources are some of the most detailed
technical/policy studies of this topic, including specifically his papers:
See B&W p115 for examples of the scale of the problem of inaccurate
Bygrave (doctoral thesis, 2000)
3.5. Information Quality discusses the implementation of this principle in
the EC Directive and European laws. 'The fourth core principle of data
protection laws is that personal data shall be valid with respect to what they
are intended to describe, and relevant and complete with respect to the
purposes for which they are (intended to be) processed.'
These requirements of data quality at time of use (
and use limited to relevant purposes (
are intended to ensure that personal information is only used for purposes for
which it is appropriate. For example, in Sweden in the early 1980s, it was
found that, although many agencies collected information on a person's
`income', they all used different definitions of `income', so any
cross-matching of this information would be to use it in breach of one or both
of the principles.
See B&W Chapter 6 generally
and duration of retention of personal data - DPP2 requires that 'All
practicable steps shall be taken to ensure that- (a) personal data are
accurate having regard to the purpose (including any directly related purpose)
for which the personal data are or are to be used'.
"Inaccurate" 'in relation to personal data, means the data is incorrect,
misleading, incomplete or obsolete' (s2). 'Accurate' can therefore be
understood as 'not inaccurate'. See B&W p114 for examples of each of
'incorrect, misleading, incomplete or obsolete'.
If data are inaccurate, then DPP2(b) requires that they (i) not be used or (ii)
erased. This is a separate obligation from that found in DPP2(2), which
requires permanent deletion when retention of the data is not necessary to
fulfil any of its purposes of use (see later concerning the Destruction
Since 'use' includes disclosure, DPP2 imposes an obligation on a data user who
is proposing to disclose data to a 3rd party to ensure that the data is
accurate having regard to the purpose for which the data is being disclosed to
the third party. This will be so even if the disclosure is because of the
exercise of compulsory power by the 3rd party. However, difficult questions may
then arise as to what degree of checking of accuracy is 'practicable',
particularly if data concerning many individuals are being disclosed.
also requires that, where practicable, once a data user is aware that data
which has previously been disclosed to a third party are 'materially
inaccurate' (and were so at the time of disclosure),then there is an obligation
to inform the third party of this and provide the corrected data.
Such a requirement for notification may arise either as a result of a data
user's internal procedures picking up a previous inaccurate disclosure, or as a
result of a data user exercising their rights of access and correction under
This right of 3rd party notification is a valuable addition to the Hong Kong
DPPs. It is not found, for example, in most Australian IPPs.
Contraventions of the Ordinance may lead to damages claims by 'an individual
who suffers damage' under
Compensation, but two defences are provided:
See B&W p116 for discussion.
Bygrave (doctoral thesis, 2000)
3.6. Data Subject Participation and Control discusses these principles as
the third main category a set of principles empowering data subjects, but they
can also (from the perspective of the data user) but seen as a Principle
limiting use of personal data.
Bygrave summarise that 'The EC Directive contains important instances of such
a right, namely in Art 14(a) (which provides a right to object to data
processing generally), Art 14(b) (which sets out a right to object to direct
marketing) and, most innovatively, Art 15(1) (stipulating a right to object to
decisions based on fully automated assessments of one's personal character).'
Article 15 of the EU Directive requires the grant of a "right to every person
not to be subject to a decision which produces legal effects concerning him or
significantly affects him and which is based solely on automated processing of
data", subject to various exceptions.
- the data user 'had taken such care as in all the circumstances was
reasonably required' (s66(3)(a); or
- the data is inaccurate because the data subject or a third party supplied
inaccurate data (s66(3)(b)). It is worth noting that it could be considered
unfair collection under DPP1 if a data user was reckless as to the quality of
the data it collected from 3rd parties, and that this defence would not apply
in that case, because unfair collection, not inaccuracy, would be the basis of
For a detailed assessment, see:
exception, discussed above, is also significant as one of the few examples in
Australian IPPs, of a right to object to processing.
Another example of this principle in Australian law is the provision in the
Data matching Program (Assistance and Tax) Act 1990 for individuals to be
notified before any adverse action can be taken against them (s.11, and
Guidelines 5.1-5.2). This may have much the same effect as an objection to
processing, as it gives a right to object before a decision based on automated
processes is made.
The only example of such a Principle is the right to opt-out of direct