Plain English Guidelines to Information Privacy Principles 8 - 11

 

Advice to agencies about using and disclosing personal information


Privacy Commissioner, November 1996

Copyright (c) Commonwealth of Australia 1994. Copying is permissible provided acknowledgment is make to the Human Rights and Equal Opportunity Commission, Sydney, November 1996. ISBN 0 642 25992

Contents

  • Words with special meanings
  • Introduction to these guidelines
  • Information Privacy Principle 8 - use only accurate, up to date, and complete information
  • How likely is the information to be inaccurate, out of date, or incomplete?
  • Information Privacy Principle 9 - use information for a purpose to which it is relevant
  • Information Privacy Principles 10.1 and 11.1 - basic rules about using and disclosing
  • Concept underlying IPP 10.1 - "reasonable expectation"
  • If an agency obtains personal information from a third party
  • 11 What does IPP 11.1 say?
  • Information Privacy Principles 10.1 and 11.1 - exceptions to the basic rules
  • Exceptions 10.1(a) and 11.1(b) - consent by the individual concerned
  • Exception 11.1(a) - aware the disclosure is usual practice
  • Exceptions 10.1(b) and 11.1(c) - threat to life or health
  • Exceptions 10.1(c) and 11.1(d) - required or authorised by law
  • Exceptions 10.1(d) and 11.1(e) - law enforcement and revenue protection
  • Exception 10.1(e) - directly related purpose
  • Information Privacy Principles 10.2 and 11.2 - noting uses and disclosures
  • Information Privacy Principle 11.3 - use and disclosure of disclosed information
  • Words with special meanings

    In the text of these guidelines, words with special meanings are printed in bold. These words are explained in Meaning of words.
     
     

    Words with special meaning are only in bold the first time they appear in each section of information.

    Words with special meanings include the various forms of that word (For example "use" includes used, using etc; "disclosure" includes disclose, disclosing etc.)
     
     

    The text also uses "information" as a shortened form of "personal information".
     
     

    Introduction to these guidelines

    The Information Privacy Principles (IPPs) in section 14 of the Privacy Act 1988 set out standards for handling personal information, that legally bind agencies.
     
     

    IPPs 8-11 deal with using and disclosing personal information. These guidelines are the Privacy Commissioner's view of how IPPs 8-11 work and have been prepared after consulting Privacy Contact Officers in relevant agencies. These guidelines are not legally binding.
     
     

    Nothing in these guidelines limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act and to apply the IPPs in the way that seems most appropriate to the facts of the case being dealt with.
     
     

    The Privacy Commissioner can determine that an agency has breached an IPP and that compensation is payable to the complainant.

    This is the second set of IPP guidelines published by the Privacy Commissioner. Plain English guidelines to IPPs 1-3 (dealing with collectingpersonal information) were published first. IPPs 8-11 have been dealt with next because they are complex and have generated more issues for agencies and the Privacy Commissioner than the other IPPs.
     
     

    What do the IPPs do?

    There are eleven IPPs in the Privacy Act. Most agencies that handle information about people must follow these IPPs. The IPPs:
     
     

    * regulate the way an agency collects, stores, uses and discloses information about people

    * allow people access to information that an agency keeps about them

    * allow people to request changes to this information

    IPPs reflect ideas set out in the OECD guidelines

    Many of the IPPs reflect ideas set out in the Organisation for Economic Cooperation and Development's Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the OECD guidelines). These were promulgated in 1980.
     
     

    In 1984, Australia committed itself to taking the guidelines into account in domestic legislation. The Privacy Act assists in meeting this commitment.
     
     

    Who do the IPPs apply to

    The IPPs apply to agencies. An agency is required by law to comply with the IPPs. Section 16 of the Privacy Act says that "an agency shall not do an act or engage in a practice that breaches an Information Privacy Principle."
     
     

    How to use these guidelines

    1. Use the Quick reference guide on page 3 to see which IPPs apply to your use or disclosure of personal information.

    2. Use the Table of contents to help you find guidelines on topics that might be relevant

     3. Some of the words used in these guidelines have special meanings. Use the Meaning of words section to help explain words that are in bold type, and their variations.

    How can I get more advice about the IPPs?

    The Privacy Commissioner has published various guidelines and documents on the Privacy Act. These include:
     
     

    * Plain English guidelines to IPPs 1-3

    * a document called Outsourcing and Privacy. This document contains model privacy clauses that can be used in contracts in which the agency engages outsiders to perform functions that involve handling personal information. Copies are available from the Privacy Commissioner's Office.

    Both of these documents are available on the Commonwealth Managers Toolbox. Limited copies of the Plain English guidelines to IPPs 1-3 are also available from the Privacy Commissioner's Office.
     
     

    For more information about the IPPs, you can also consult the Privacy Contact Officer in your agency.

    If the Privacy Contact Officer cannot help you, you can phone the Privacy Commissioner's office toll-free on the privacy hotline number: 1 800 023 985
     
     

    The Privacy Commissioner's address is: GPO Box 5218, Sydney NSW 2001
     
     

    Quick reference guide to when IPPs 8-11 apply

    IPPs 8-11 apply when an agency intends to use, or disclose, personal information.

    Are you dealing with "personal information"?

    Read the definition of personal information on page 10 to help you decide if the information with which you are dealing is personal.
     
     

    Are you "using" or "disclosing" that information?

    Read The meaning of "use" and "disclosure" of information on pages 11 to 13 to help you decide which category your activity falls into. Then read the IPPs and guidelines that are relevant to that activity.
     
     

    If you are "using" personal information...

    The IPPs governing the use of personal information are:
     
     

    * IPP 8 (read guidelines 1-5)

     * IPP 9 (guidelines 6-9)

     * IPP 10.1 (guidelines 10 and 12)

     * exceptions to IPP 10.1:

    -generally (guideline 13)

     -10.1(a) (guidelines 14-17) "consent by the individual concerned"

    -10.1(b) (guidelines 25-29) "threat to life or health"

    -10.1(c) (guidelines 30-35) "required or authorised by law"

    -10.1(d) (guidelines 36-42) "law enforcement and revenue protection"

     -10.1(e) (guidelines 43-45) "directly related purpose"

     * IPP 10.2 (guidelines 46 and 47)

    If you are "disclosing" personal information...

    The IPPs governing the disclosure of personal information are:
     
     

    * IPP 11.1 (read guidelines 11 and 12)

     * exceptions to IPP 11.1:

    -generally (guideline 13)

    -11.1(a) (guidelines 18-24) "aware the disclosure is usual practice"

     -11.1(b) (guidelines 14-17) "consent by the individual concerned"

    -11.1(c) (guidelines 25-29) "threat to life or health"

    -11.1(d) (guidelines 30-35) "required or authorised by law"

    -11.1(e) (guidelines 36-42) "law enforcement and revenue protection"

     * IPP 11.2 (guideline 42)

     * IPP 11.3 (guidelines 46-48)

    Also be aware of IPP 4
    Agencies must also take care not to breach IPP 4 which deals with the security of personal information. This IPP applies to all agencies in possession or control of personal information. It requires an agency to reasonably protect personal information against unauthorised access, use, modification or disclosure.
     
     
    Text and summary of IPPs 8-11

    Actual text of IPPs 8-11 as set out in the Privacy Act

    Text of IPP 8
     
     

    A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.
     
     

    Summary of IPP 8
     
     

    An agency must take reasonable care to check that personal information is accurate, up to date, and complete, before using it
     
     

    Text of IPP 9
     
     

    A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.
     
     

    Summary of IPP 9
     
     

    An agency must only use personal information for a purpose to which it is relevant.
     
     

    Text of IPP 10.1

    A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose, unless:
     
     

    (a) the individual concerned has consented to use of the information for that purpose;

     (b) the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;

     (c) use of the information for that other purpose is required or authorised by or under law;

     (d) use of the information for that other purpose is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or

     (e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.
     
     

    Summary of IPP 10.1

    An agency must not use personal information for any purpose other than that for which it obtained the information, unless:
     
     

    (a) the person the information is about consents, or

     (b) the use is necessary to protect against a serious and imminent threat to a person's life or health, or

     (c) the use is required or authorised by law, or

     (d) the use is reasonably necessary to enforce the criminal law or a law imposing a pecuniary penalty, or to protect public revenue, or

     (e) the use is directly related to the purpose for which the agency obtained the information.

    Text of IPP 10.2
     
     

    Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.
     
     

    Summary of 10.2

    An agency that uses personal information under exception 10.1(d) must note that use on the record containing the information.
     
     

    Text of IPP 11.1

    A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:
     
     

    (a) the individual concerned is reasonably likely to have been aware, or made aware under principle 2, that information of that kind is usually passed to that person, body or agency;

     (b) the individual concerned has consented to the disclosure;

     (c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

     (d) the disclosure is required or authorised by or under law; or

     (e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue;
     
     

    Summary of IPP 11.1
     
     

    An agency must not disclose personal informationunless:
     
     

    (a) the person the information is about has been told in a valid IPP 2 notice, or is otherwise likely to know, that that kind of disclosure is commonly made, or

     (b) the person the information is about has consented, or

     (c) the disclosure is necessary to protect against a serious and imminent threat to a person's life or health, or

     (d) the disclosure is required or authorised by law, or

     (e) the disclosure is reasonably necessary to enforce the criminal law or a law imposing a pecuniary penalty, or to protect public revenue.
     
     

    Text of 11.2
     
     

    Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.
     
     

    Summary of 11.2

    An agency that discloses personal information under exception 11.1(e), must note that disclosure on the record containing the information.
     
     

    Text of 11.3
     
     

    A person, body or agency to whom personal information is disclosed under clause 1 of this principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.
     
     

    Summary of 11.3

    If an agency discloses any personal information, the recipient must only use or disclose it for the purpose for which it was disclosed to them.
     
     

    How do the IPPs relate to other Acts?

    IPPs apply alongside other legislation

    If IPPs 10 or 11 allow a use or disclosure, that use or disclosure will still be unlawful if other legislation makes it unlawful. So if an agency's own legislation says that it cannot use or disclose personal information in a particular way, the agency must comply with that legislation _ even if IPP 10 or 11 would permit the use or disclosure.
     
     

    IPPs 10.1 and 11.1 do not prevent an agency using or disclosing personal information if another law specifically requires or authorises the agency to do so. (This is stated in exceptions IPP 10.1(c) and IPP 11.1(d).)
     
     

    If a law specifically prohibits or permits a use or disclosure, an agency must comply with it. IPPs 10.1(d) and 11.1(e) cannot be used to extend the permitted uses or disclosures.
     
     

    IPPs only set out minimum standards

    The IPPs only set out minimum legal standards for agencies in dealing with personal information. A higher standard may be appropriate, even if the IPPs do not require it.

    It may be appropriate for an agency to take more care to protect people's privacy (than the IPPs require) if:
     
     

    * particularly sensitive personal information is involved, or

     * using or disclosing personal information is likely to have serious consequences for the person the information is about.

    How do the IPPs relate to common law limits on use and disclosure?

    Common law duties of confidence

    Common law duties of confidence (for example, the duty owed by doctors to their patients, or by lawyers to their clients) may limit an agency's ability to disclose personal information.

    Part VIII of the Privacy Act extends the operation of the common law duty of confidence to cover agencies that obtain information from sources that have themselves obtained the information subject to a duty of confidence.
     
     

    For example: Agency A obtains information from an individual under a duty of confidence and then discloses the information to Agency B. The individual can sue Agency B directly if it should have known about the duty of confidence but fails to keep the information confidential.
     
     

    Johns v ASC

    In Johns v Australian Securities Commission (1993) 116 ALR 56, the High Court held that if someone compulsorily obtains information using a statutory power, they must:
     
     

    * only use or disclose that information for the purposes set out in, or implied by, the statute, and

     * otherwise treat the information as confidential.

    If Johns case applies to limit the purposes for which information may be used or disclosed, uses and disclosures that would otherwise be permitted by IPPs 8-11 are unlawful if they fall outside those purposes.
     
     

    Personal information obtained before 1 January 1989

    IPPs 8 and 9 apply to all personal information, whenever obtained. But IPPs 10 and 11 only apply to personal information that an agency:

    * obtains on or after 1 January 1989 (the date the Privacy Act commenced), or

     * obtained before 1 January 1989 but amends on or after that date in a way that significantly changes its meaning.

    An agency is advised to treat all personal information as being subject to all IPPs

    It may be difficult for an agency to work out exactly what personal information IPPs 10 and 11 apply to. So the Privacy Commissioner encourages an agency to comply with all IPPs when handling personal information - no matter when it was obtained.
     
     

    Doing this will:
     
     

    * more effectively safeguard the privacy of all people about whom an agency holds information, and

     * remove the possibility of an agency making, or being accused of making, unfair or arbitrary distinctions when trying to work out what information to protect.

    Personal information in generally available publications

    IPPs 8-11 do not apply to personal information in a generally available publication. But they do apply to the same information if it appears in a record held by an agency.
     
     

    How to manage the use and disclosure of personal information

    Setting up a control system

    An agency should set up policies and procedures that effectively manage the way in which staff use and disclose personal information. This can help minimise the risk of breaching IPPs 8 to 11 as well as IPP 4.
     
     

    IPP 4 requires an agency to take all reasonable measures to safeguard personal information against unauthorised access, use, modification or disclosure.
     
     

    Some options for minimising risk of breaching the IPPs
    It is not only the IPPs that an agency must take into account when setting up a system to control information - and these guidelines do not try to lay down detailed rules for designing such a system. But here are some options that an agency may consider to minimise the risk of breaching the IPPs:

    ...minimising risk generally
     
     

    * train staff in privacy requirements (including the agency's policy on use and disclosure).

     * have a contact officer (who could be the agency's Privacy Contact Officer) available to advise on how IPP requirements apply in cases where this is not clear.

    ...minimising risk in using and disclosing personal information
     
     

    * have policies on using and disclosing personal information that are accessible, and explained, to all staff. Policies should be reviewed from time to time to make sure they are still relevant. It is important that the policies give practical advice on situations that regularly arise in the organisation. Policies that only state principles are insufficient.

    Policies should explain:

     - what information can be used or disclosed

     - when the information can be used or disclosed

     - which staff may use or disclose the information

     - to whom the information may be disclosed

     - how to use personal information within the agency
     
     

    This is especially important in an agency whose range of functions means that different parts of the agency are likely to hold personal information for unrelated purposes.
     
     

    - any other restrictions on using or disclosing personal information

    For example: the information may only be able to be disclosed for certain purposes, or only if certain conditions are met by the person requesting the information.
     
     

    - any actions that should accompany use or disclosure.

    For example: recording the disclosure.
     
     

    - any special procedures that apply to personal information held on computer systems.
     
     

    * identify classes of requests for disclosures and determine what level of officer can make decisions about each class. Decisions about difficult requests or requests that may have serious consequences (embarrassment, financial damage, physical danger) may be reserved for more senior officers.
     
     

    * if an agency is frequently asked to disclose personal information to another body, it should set out its policies in a written agreement between the agency and the body to which it discloses the personal information.

    ...minimising risk if an agency handles information on behalf of another agency
     
     

    Any arrangements that involve one agency handling personal information on behalf of another, should be set out clearly in a written agreement between the two agencies (unless other legislative arrangements apply). This clarifies and strengthens the chain of accountability. The agreement should address:
     
     

    - the types of personal information involved

     - which officers of the handling agency are to have access to the information

     - what safeguards are to be put in place to protect the information

    - procedures to be followed if the handling agency mishandles the information

     - arrangements for liaising between the agencies.
     
     

    Meaning of words

    The meanings used here are based on the definitions in sections 6 and 10 of the Privacy Act.
     
     

    agency

    Agencies are generally federal government organisations. These organisations include:
     
     

    * federal government departments

     * bodies and tribunals set up for a public purpose by federal government laws.

    Agencies also include:
     
     

    * contracted case managers under the Employment Services Act

     * Australian Capital Territory government organisations.

    State, Northern Territory, and local government, organisations are not "agencies".
     
     

    Some organisations, even if set up by federal government laws, are not "agencies". These include:
     
     

    * incorporated companies

     * incorporated societies, and

     * incorporated associations.

    The IPPs legally bind most agencies.

    disclosure

    See The meaning of "use" and "disclosure" of information below.
     
     

    generally available publications

    Generally available publications include things like magazines, books, newspapers, annual reports, the Government Gazette and public databases like the Electoral Roll.
     
     

    Note that IPPs 8-11 do not apply to personal information in a generally available publication. But they do apply to the same information if it appears in a record held by an agency.
     
     

    personal information

    The Privacy Act (and these guidelines) only covers personal information. This is information or opinions that can identify a living person.
     
     

    Information about dead people is not technically personal information, but agencies are encouraged to respect the sensitivities of family members when using or disclosing it.
     
     

    record

    A record is a:
     
     

    * document

     * database

     * photograph or picture of people.

    The Privacy Act lists a number of exceptions to this definition. For example, generally available publications are not "records".
     
     

    record- keeper

    A record-keeper is an agency that possesses or controls a record of personal information.
     
     

    If one agency possesses a record, but another agency controls it, each agency is a record keeper.
     
     

    use

    See The meaning of "use" and "disclosure" of information below.
     
     

    The meaning of "use" and "disclosure" of information

    The meanings used here are based on the definitions in section 6 of the Privacy Act.
     
     

    What is a use?

    Use is interpreted broadly. It relates to managing personal information within an agency.

    As a general rule, any accessing by an agency of personal information in its control is a "use". This includes:

     * searching records for any reason

     * using personal information in a record to make a decision

     * passing a record from one part of an agency to another part with a different function.

    Use also includes publishing personal information.
     
     

    What is a disclosure?

    The Privacy Commissioner interprets a disclosure as a release of personal information from the effective control of the agency. An agency may release the personal information:
     
     

    * automatically, to a person or body that the agency knows has a general authority to access that personal information, or

     * in response to a specific request.

    Note: If an agency gives personal information to an outsider whom it has contracted to work for it, the agency may be treated as using, not disclosing, that information. To find out when, please see When is passing information outside an agency a use?
     
     

    Examples of disclosures:
     
     

    * If agency staff act to give someone outside the agency a record containing personal information, and the staff do not retain control over that information, there is a disclosure.

     * If an agency does something once (like setting up a computer logon) which allows someone outside the agency to access personal information many times, there is a disclosure each time the outside person accesses the information using that means.

    This is consistent with the purpose of the Privacy Act _ to give individuals an enforceable right to have an agency handle their personal information in a way that adequately protects their privacy.
     
     

    Relationship between use and disclosure

    An agency's action cannot be both a use and a disclosure

    Use does not mean disclosure and disclosure does not mean use. So either IPP 10 (use of personal information) or IPP 11 (disclosure of personal information) can apply to an agency's action - but not both.

    If a single administrative process involves both a use and disclosure, these are considered separately under IPP 10 and IPP 11 respectively.
     
     

    When is passing personal information outside the agency a use?

    An agency may pass personal information to an outside person or organisation. The test for working out if this act is a use or disclosure is always whether or not the agency maintains control over that personal information:
     
     

    * An agency that gives up its control over the personal information to the outsider is treated as disclosing that information.

     * An agency that maintains control over the personal information is treated as using that information

    An agency maintains control over personal information if:
     
     

    * it gives the personal information to the outsider to use for a limited purpose that assists or benefits the agency, and

     * an agreement between the agency and outsider:

    - binds the outsider not to use or disclose the personal information except for the limited purpose, and

     - gives the agency the right to access, change or retrieve the personal information.

    For example: An agency may give personal information to an outsider who is contracted to do work for the agency (for example, under a contract for information technology services, or mailing house services). The agency is treated as using the information if:
     
     

    * the outside contractor is using the information solely to perform a function of the agency, and

     * the contract gives the agency control over the information.

    An employee's use or disclosure is treated as that of the agency

    If an agency's employee uses or discloses personal information in the course of their duties, the agency is treated as having used or disclosed that personal information.
     
     

    An employee may still be acting "in the course of their duties" if they use or disclose personal information in good faith, not realising that what they are doing is unauthorised or prohibited.
     
     

    An employee is not acting "in the course of their duties" if they use or disclose personal information knowing that the use or disclosure is unauthorised or prohibited. These acts are not treated as those of the agency.

    But if an agency fails to reasonably protect personal information against unauthorised access, use, or other misuse, it may be in breach of IPP 4.
     
     

    Post box arrangements

    Post box arrangements operate where one agency gives another a letter to be mailed out, and the names of who it is to be mailed to. The second agency (which holds the addresses of those people) does the actual mailing without revealing the addresses to the first agency.

    The second agency only uses the addresses _ it does not disclose them to anyone. If the purpose of the mail out is different from the purpose for which the second agency originally obtained the addresses, IPP 10.1 will apply and the mail out will be unlawful unless one of the exceptions under IPP 10.1 applies.
     
     

    Information Privacy Principle 8 - use only accurate, up to date, and complete information

    What are the guidelines on IPP 8?

    Guideline 1 gives the text of IPP 8

    Guideline 2 tells you what personal information is covered by IPP 8

    Guideline 3 explains the extent to which personal information needs to be checked and when checking is reasonable.

    Guideline 4 tells you to check personal information consistently with IPP 3

    Guideline 5 tells you to amend all relevant records with accurate, up to date, or complete information that you get
     
     

    1 What does IPP 8 say?

    The text of IPP 8 is:
     
     

    A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.
     
     

    Meaning of IPP 8
    IPP 8 imposes obligations on an agency concerning the quality of the personal information it uses.
     
     

    IPP 8 says that before an agency can use personal information, it must take reasonable steps to make sure that it is accurate, up to date, and complete.

    2 What information does IPP 8 apply to?

    IPP 8 applies to all personal information held by an agency, whenever obtained.
     
     

    3 Checking the quality of personal information

    How likely is the information to be inaccurate, out of date, or incomplete?

    The extent to which an agency must check the quality of personal information before using it depends on how likely it is that the personal information is inaccurate, out of date, or incomplete.

    The more likely it is that the information is inaccurate, out of date, or incomplete, the more reasonable it is for an agency to check the personal information before using it.
     
     

    Note:
     
     

    * birth dates do not become out of date or incomplete _ accuracy is the only consideration

     * marital status, surname, occupation, address, and similar details, can be inaccurate and can easily become out of date

     * more complex personal information (for example, a criminal history, a medical report, or an academic record) can be inaccurate, out of date, or incomplete. So, care should always be taken to make sure that the information is correct.

    The more serious the consequences, the more reasonable it is to check

    The more serious the consequences of the personal information being inaccurate, out-of-date, or incomplete, the more reasonable it is for the agency to check the information before using it.
     
     

    For example:
     
     

    * If an agency is going to cut off someone's pension, a mistake in the information on which the decision is based may have serious consequences. So, it is most important that the information is accurate, and extensive checking may be regarded as reasonable.
     
     

    * If an agency is posting a notice to an employer about an employee who is liable to pay child maintenance, the consequences of not checking the address supplied by the employee may be serious. For example, if the employee wants the information kept confidential but someone other than the employer receives and opens the notice, the employee's privacy is unnecessarily invaded.
     
     

    * If an agency is going to send out a newsletter to its clients, the consequences of a mistake may not be so serious, and less detailed checking may be regarded as reasonable.

    It is best to check with the original source

    The most reliable way of checking if personal information is accurate, up-to-date and complete is to check it against the original source.
     
     

    But sometimes an agency cannot reasonably check the original source of personal information before using it, for example:
     
     

    * the original source may no longer be available

     * checking the original source may be unreasonably expensive

     * the consequences of the personal information being incorrect are not serious.

    If an agency cannot reasonably check personal information with the original source, there are almost always things it can do to make sure the information it uses is of high quality.
     
     

    For example: if an agency is doing a bulk mail out to its clients, it would not be reasonable to check name and address details with each client at the time. But it would be reasonable to make sure that changes of address are processed quickly and accurately in maintaining the database.
     
     

    4 Checking must be done consistently with IPPs 1-3
    If it is reasonable for an agency to check the quality of personal information, the agency must do it in a way that does not breach IPPs 1-3. These IPPs deal with obtaining personal information.

    The Privacy Commissioner's plain English guidelines to IPPs 1-3 are available on the Commonwealth Managers' Toolbox and from the Commissioner's Office.
     
     

    As a general rule, an agency should first check personal information:

    * with the person the information is about, or

     * against other internal records that were collected for the same purpose and that may confirm the personal information.

    Checking personal information with a third party
    Checking personal information with a third party intrudes on the privacy of the person who the information is about, and should only be done if checks with that person or against other internal records prove unsatisfactory.
     
     

    For example: A woman is claiming a single parent benefit from an agency. She admits that she shares some domestic arrangements with a man but denies that they are in a marriage-like relationship. The agency does not bother interviewing the man in question, but instead interviews various other people in the community about the relationship. This causes the matter to become widely known in the community. If the agency had first approached the man in question, it may not have needed to interview the other people, and the matter may have remained private.
     
     

    5 Amend all relevant records
     
     

    If the agency gets correct personal information to amend inaccurate, out of date, or incomplete personal information, it should amend all records that contain that information at the same time.

    For example: if a number of copies of a document containing the inaccurate, out of date, or incomplete personal information are held at different places within an agency, it is sensible to amend them all.
     
     

    Amending all relevant records:
     
     

    * removes the need to check the one piece of personal information repeatedly, and

     * reduces the risk of future breaches of IPP 8 by an agency (which may assume that unamended records are accurate, up to date, and complete).

    What about records with historical value?

    It may be inappropriate to amend original records with some historical value. Instead, the agency may add a note to the record that sets out the accurate, up to date, or complete personal information.

    Information Privacy Principle 9 - use information for a purpose to which it is relevant

    What are the guidelines on IPP 9?
     
     

    Guideline 6 gives the text of IPP 9

    Guideline 7 tells you what information IPP 9 applies to

    Guideline 8 explains how a use permitted by IPP 9 may still be unlawful under IPP 10.1

    Guideline 9 gives examples of non-relevant purposes
     
     

    6 What does IPP 9 say?

    The text of IPP 9 is:
     
     

    A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.
     
     

    Meaning of IPP 9

    IPP 9 says that an agency must only use personal information for a purpose to which the information is relevant. An agency must ask itself:
     
     

    * for what purpose is the personal information being used?

     * is that personal information relevant to that purpose?

    7 What information is covered by IPP 9?

    IPP 9 applies to all personal information held by an agency, whenever obtained.
    8 A use permitted by IPP 9 may still be unlawful under IPP 10.1
    Even if use of personal information for a particular purpose is "relevant" under IPP 9, an agency must still make sure that the use is lawful under IPP 10.1. The use is unlawful under IPP 10.1 if:

    * the particular purpose is different from the purpose for which the information was obtained, and

     * none of the exceptions to IPP 10.1 apply.

    9 When is information not relevant to a purpose for which it is being used?

    Here are some examples of when an agency may be using personal information for a purpose to which it is not relevant:
     
     

    * personal information used in job selection processes

    An agency uses the information that a person has (or does not have) a particular type of security clearance, in a selection process for a job that does not require that kind of clearance. The agency may be treated as breaching IPP 9.
     
     

    * information with personal identifiers used in statistical research

    An agency uses records containing personal information with personal identifiers (like name and address) still attached, in research for statistical purposes. This research does not require individual data subjects to be identified. The agency may be treated as breaching IPP 9.
     
     

    But the agency may not be breaching IPP 9 if the purpose for which it uses the information is a "longitudinal study", which aims to gather statistical data on the experience of a group of people over time. In this type of study, it is necessary to contact the same people at regular intervals. So the identifying details of the sample members are relevant to the purpose of the study, and the information is clearly relevant to the purpose for which it is being used.
     
     

    * personal information about a person's relatives

    An agency uses information about the criminal history of a person's relatives for assessing that person's likely behaviour or preferences. The agency may be at risk of breaching IPP 9 because information about a person's relatives is rarely relevant in making decisions about the person themselves.

    * personal information about a person's religion, ethnic background, or sexuality

    An agency uses information about a person's religion, ethnic background, or sexuality in making a decision. The agency may be treated as breaching IPP 9 if the information is not relevant to the decision. The agency needs to take great care in assessing the relevance of this information before it decides to use it in its decision making.

    Note that even if the personal information is relevant to the purpose it is used for, anti-discrimination legislation may still apply.

    Information Privacy Principles 10.1 and 11.1 - basic rules about using and disclosing

    What are the guidelines on the basic rules in IPP 10.1 and 11.1?
    Guideline 10 gives the text of IPP 10.1

    Guideline 11 gives the text of IPP 11.1

    Guideline 12 tells you what personal information is covered by IPPs 10 and 11
     
     

    10 What does IPP 10.1 say
    The text of IPP 10.1 is:
     
     

    A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless...

    Meaning of IPP 10.1

    IPP 10.1 sets limits on how an agency may usepersonal information:
     
     

    * General rule: IPP 10.1 says that an agency may only use personal information for the particular purpose for which it obtains the personal information.

     * Exceptions: IPP 10.1 (a) to (e) lists 5 situations in which an agency may use personal information for purposes other than that for which it obtains the personal information.

    Concept underlying IPP 10.1 - "reasonable expectation"

    The general rule in IPP 10.1 is based on the concept of "reasonable expectation" _ that is _ people usually give personal information to an agency with a specific purpose in mind (for example, they want a licence, or a benefit payment, or a tax refund), and they should be able to expect the information to be used for that purpose only.
     
     

    Working out the "particular purpose" for which information is obtained

    An agency must know exactly why it is obtaining the information
    When an agency obtains personal information, it must have in mind a specific, well defined purpose for doing so. It must know exactly what it is trying to achieve by obtaining the information.

    This requirement applies whether the personal information is obtained directly from the person the information is about, or whether it is obtained from another agency or some other organisation. This requirement is consistent with requirements about collecting personal information in IPPs 1 to 3.

    Sometimes an agency may have to judge how broad its purpose is in obtaining personal information.

    For example: If an agency obtains personal information from Ms A on an application form for a Program X benefit payment, how broadly should an agency interpret the purpose for which it obtains the information?
     
     

    * "To perform the lawful functions of the agency" is clearly too broad a purpose, since the agency may perform many, and quite different, functions. In practice, this interpretation imposes no limit on how an agency uses personal information (apart from lawfulness under other legislation), and IPP 10 has no effect.
     
     

    * "To decide if payments to Ms A should be started for this financial year" is too narrow a purpose. If the agency wants to send Ms A information about changes to her benefits, it is artificial to conclude that this is use for a purpose that is different from the purpose for which the agency originally obtains the information.
     
     

    * "To apply Program X to Ms A" seems a reasonable interpretation. It restricts uses to those related to Ms A's involvement with the particular program while also permitting uses that are necessary to that involvement. This interpretation is probably in line with Ms A's "reasonable expectations".

    If an agency obtains personal information directly from the person it is about
    The purpose for which an agency obtains personal information within IPP 10.1 must be consistent with the purpose stated in the IPP 2 notice that accompanied the original collection of the information.
     
     

    IPP 2 says that if an agency obtains personal information directly from the person the information is about, it must clearly explain to the person its particular purpose for doing so. The agency should do this at the time it obtains the information from the person.
     
     

    The purpose for obtaining the information also should be what a reasonable person expects.

    For example:
     
     

    * personal information obtained on an application form is obtained for the purpose of assessing the application.

     * personal information obtained when someone is making an enquiry is obtained for the purpose of answering the enquiry.

     * personal information obtained in a survey is obtained for the purpose of finding out statistical (not individual) information.

     * personal information obtained in an audit is obtained to assess compliance in the past and the risk of non compliance in the future.

    If an agency obtains personal information from a third party

    If an agency obtains personal information from another organisation, then its purpose in obtaining the information is limited by any conditions the other organisation places on releasing the information. Often, these conditions reflect the expectations of those from whom the information was originally obtained.
     
     

    An agency should always be clear about why it is obtaining the information. It should be able to define this purpose in response to enquires from individuals, or from the Privacy Commissioner following a complaint.
     
     

    Exception 10.1(e) supports a narrow view of "purpose"
    Exception 10.1(e) allows personal information to be used for a purpose directly related to the purpose for which the information is obtained. This exception supports the view that the particular purpose should not be interpreted too broadly. To interpret "purpose" broadly would make IPP 10 ineffective because it would bring almost any use within exception 10.1(e).
     
     

    11 What does IPP 11.1 say?

    The text of IPP 11.1 is:
     
     

    A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) ..
     
     

    Meaning of IPP 11.1

    IPP 11.1 limits the situations in which an agency may disclose personal information:
     
     

    * General rule: IPP 11.1 says that an agency may only disclose personal information to the person the information is about. An agency must not disclose that information to any other person or organisation.

     * Exceptions: IPP 11.1 (a) to (e) lists 5 situations in which an agency may disclose personal information to someone other than the person the information is about.
     
     

    Concept underlying IPP 11.1 - "confidentiality of client information"
     
     

    Australian public administrators have always emphasised the importance of confidentiality of client information - and the general rule in IPP 11.1 is based on that concept.

    IPP 11.1 allows disclosure to the "individual concerned"

    The "individual concerned" means the person who the personal information is about.
     
     

    IPP 11.1 does not prevent an agency:
     
     

    * telling a person what personal information it holds about them, and

    * disclosing that personal information to them.

    In fact, IPP 6 gives a person the right to access personal information held about them, unless another law prevents them having access. If another law does prevent them having access, the agency should explain this to them.
     
     

    People acting on behalf of the individual concerned
     
     

    An agency can disclose personal information about a person to someone acting on behalf of the person. See Disclosing to representatives of the person the information is about on page 36
     
     

    12 What information do IPPs 10.1 and 11.1 apply to?

    IPP 10.1 and IPP 11.1 (including their exceptions) apply only to personal information that an agency:
     
     

    * obtains on or after 1 January 1989 (the date the Privacy Act commenced), or

     * obtained before 1 January 1989 but amends on or after that date in a way that significantly changes its meaning.

    But it may be difficult to work out exactly what personal information falls into these categories. So the Privacy Commissioner encourages agencies to treat all personal information, whenever obtained, as being subject to these IPPs.

    Information Privacy Principles 10.1 and 11.1 - exceptions to the basic rules

    What are the guidelines on the exceptions to IPP 10.1 and 11.1?

    Guideline 13 explains how the exceptions work
     
     

    13 Overview of the exceptions to IPPs 10.1 and 11.1

    The general rules set out in IPPs 10.1 and 11.1 state that an agency:

    * may only use personal information for the particular purpose for which it obtains that information (10.1), and

     * may only disclose personal information to the person the information is about, and not to any other person or organisation (11.1).

    Clearly, fair and effective administration of government programs would be impossible if these rules were absolute. So, a number of exceptions in IPPs 10.1 and 11.1 list situations in which an agency may:
     
     

    * use personal information for another purpose, or

    * disclose personal information to someone other than the person the information is about.

    When the exceptions apply

    A use does not breach IPP 10.1, and a disclosure does not breach IPP 11.1, if:
     
     

    * the person the information is about consents to the use or disclosure:

    exceptions 10.1(a) and 11.1(b)

    * the use or disclosure is necessary to protect against a serious and imminent threat to a person's life or health:

    exceptions 10.1(b) and 11.1(c)

    * the use or disclosure is required or authorised by law:

    exceptions 10.1(c) and 11.1(d)

    * the use or disclosure is reasonably necessary to enforce the criminal law or a law imposing a pecuniary penalty, or to protect public revenue:

    exceptions 10.1(d) and 11.1(e)

    As well...
     
     

    A use does not breach IPP 10.1 if:
     
     

    * the use is directly related to the purpose for which the agency obtained the information:

    exception 10.1(e)

    A disclosure will not breach IPP 11.1 if:
     
     

    * the person the information is about has been told in a valid IPP 2 notice, or is otherwise likely to know, that that kind of disclosure is commonly made:

    exception 11.1(a)

    How the exceptions should be used

    Where an exception applies, the agency should consider the spirit as well as the letter of the Act. The agency should:
     
     

    * seek to disclose, or to use, no more personal information than is necessary, and

     * aim to give the person the information is about as much control as possible over their personal information. This can be done by:

    - being as open as possible with that person, and

    - seeking their consent to a use or disclosure whenever that is practical _ even if an exception not requiring their consent is available, and

    - giving them a full and informative IPP 2 notice so that they know how the personal information they provide will be handled.
     
     

    Which exceptions are the most reliable?

    The best exceptions to rely on are the "consent" exceptions in IPPs 10.1(a) and 11.1(b). The agency can safely use or disclosepersonal information under these exceptions if the person the information is about clearly understands the use or disclosure they are consenting to, and they are not forced to consent.
     
     

    The "required or authorised by law" exceptions in IPPs 10.1(c) and 11.1(d) are also reliable. If a use or disclosure is specifically required or authorised by a relevant law, the agency can safely proceed.
     
     

    IPPs 10.1(b) and 11.1(c), the "life and health" exceptions, should only be used in emergency situations. They should not be used for routine disclosures.
     
     

    IPP 11.1(a), the "reasonably likely to be aware or made aware" exception, should be used with care. If an agency relies on the "reasonably likely to be aware" part of the exception, it must make a difficult judgment about what the person the information is about is reasonably likely to know. Often, it is safer to obtain the consent of that person and to rely on IPP 11.1(b).

    IPP 10.1(e), the "directly related purpose" exception, should also be used with care. If an agency relies on this exception, it must judge if the purpose for which it obtains the personal information is directly related to the purpose for which it wants to use the information.
     
     

    IPPs 10.1(d) and 11.1(e), the "law enforcement and revenue protection" exceptions, are likely to be the most difficult for an agency to rely on. They require careful judgments about what is "reasonably necessary" to achieve a particular purpose. They should be used as little as possible.
     
     

    Applying the exceptions to data-matching

    Data-matching involves taking personal information from one database and comparing it with personal information from another database. The aim is usually to identify people common to both databases whose circumstances suggest that they should be subject to further investigation or other action.Data-matching poses particular risks to the privacy of people's personal information. It usually involves disclosing personal information about large numbers of people, most of whom are of no interest to the agency conducting the matching.
     
     

    To supplement the IPPs as they apply to data-matching, the Privacy Commissioner has issued Guidelines for the use of data-matching in Commonwealth administration, available from his office. These guidelines are voluntary, but the Privacy Commissioner encourages agencies to follow them.
     
     

    Note that the Data-matching Program (Assistance and Tax) Act imposes special requirements on agencies involved in data-matching that falls within that Act.
     
     

    Exceptions 10.1(a) and 11.1(b) - consent by the individual concerned

    What are the guidelines on exceptions 10.1(a) and 11.1(b)?

    Guideline 14 gives the text of exceptions 10.1(a) and 11.1(b)

    Guideline 15 explains that consent must be informed and given freely

    Guideline 16 discusses implied and express consent

    Guideline 17 tells you who must give, and who may obtain, consent
     
     

    14 What do exceptions 10.1(a) and 11.1(b) say?

    The text of exception 10.1(a) is:
     
     

    ... [unless] the individual concerned has consented to use of the information for that other purpose
     
     

    The text of exception 11.1(b) is:
     
     

    ... [unless] the individual concerned has consented to the disclosure
     
     

    Meaning of exceptions 10.1(a) and 11.1(b)

    Exception 10.1(a) allows an agency to use personal information for any purpose if the person the information is about consents to it being used for that purpose.
     
     

    Exception 11.1(b) allows an agency to disclose personal information for any purpose if the person the information is about consents to it being disclosed for that purpose.
     
     

    15 Consent (whether implied or express) must be informed and free

    Informed consent

    If an agency wants to use exception 10.1(a) or 11.1(b), it must be able to show that the person the information is about:
     
     

    * is accurately informed of what they are consenting to, or

     * can reasonably be assumed to understand what they are consenting to, at the time they consent.

    This may require the agency to take special measures, for example, when seeking consent from a person who has difficulty with English.
     
     

    The agency must explain clearly what consent it seeks

    The agency must take all reasonable steps to ensure that the person the information is about fully understands what they are consenting to. This includes:

    * the personal information that may be used or disclosed

     * the purpose for which it is to be used or disclosed, and to whom it is to be disclosed _ identified as specifically as possible

     * what happens if consent is not given.

    An agency should not seek a broader consent than is necessary for its purposes
     
     

    Vaguely worded consents that may be interpreted as covering anyuse or disclosure make it difficult for the agency to show that the person the information is about has consented to the particular use or disclosure in question.

    Words like "may disclose ... to other bodies as appropriate" are not acceptable because they do not give the person consenting a clear idea of what they are consenting to. Relying on phrases like these may result in the agency breaching the IPPs. So an agency should not seek a broader consent than is necessary for its purposes.
     
     

    Free consent

    If an agency wants to use exceptions 10.1(a) and 11.1(b) then the person the information is about must freely consent to the use or disclosure.

    A "consent" from a person who has or reasonably believes they have no real choice but to consent, is not adequate for exceptions 10.1 (a) or 11.1 (b).
     
     

    For example: if the person the information is about knows or believes that serious adverse consequences will follow if they refuse to consent, any consent they give is not freely given. An agency should not suggest that it is obtaining consent if the person the information is about has no practical alternative but to consent.

    How can an agency tell if a person has no effective choice but to consent?
     
     

    In deciding if consent is adequately free, an agency should take into account these factors (if it is aware of them):

    the extent to which the person the information is about is able to influence the way in which an agency handles the information

     * the alternatives open to the person the information is about, if they choose not to consent

     * any serious financial consequences (judged from what the agency can reasonably infer from the circumstances of the person the information is about) that could flow from refusing to consent

    For example: what would be a serious financial consequence for an aged pensioner may not be for some other members of the community.
     
     

    * any undesirable social consequences, such as embarrassment, if they refuse to consent

     * adverse consequences for family members or other intimates if they refuse to consent.

    What an agency should do if a person cannot freely consent

    If a person cannot freely consent to the agency disclosing their personal information, the agency should not try to rely on exception 11.1 (b) and seek an empty "consent" from that person.
     
     

    If the disclosure is usual practice, the agency should instead:
     
     

    * tell the person that the disclosure is the agency's usual practice, and

     * rely on exception 11.1(a).

    For example: if a benefit agency:
     
     

    * seeks consent from its client to use personal information it obtained for another purpose, to check the client's eligibility for income support benefits, and

    * makes it clear that benefits will be withdrawn if consent is not given,then any consent given by the client is not adequate for exception 11.1 (b).
     
     

    Consent can be revoked at any time
     
     

    Consent is only valid if it is current. A person can consent to a use or disclosure and then later withdraw their consent.
     
     

    For example:
     
     

    * someone who has split up with their spouse may no longer consent to disclosures to the spouse

     * a young person who has moved away from home may no longer consent to disclosures to their parents.

    An agency must be sure that the consent is current before relying on it.
     
     

    16 Must consent be express - or is implied consent sufficient?

    Implied consent

    The Privacy Act defines "consent" to include "implied consent" (section 6(1)).

    An implied consent may be valid - but if an agency relies on implied consent, it must make a difficult judgment about what a person may think in particular circumstances or what a person may mean by a particular action. Wrong decisions can lead to serious breaches of privacy.

    As a general rule, the Privacy Commissioner advises agencies to get the person the information is about to take positive action to express their consent.
     
     

    Examples of implied consent:
     
     

    * A person gets their member of parliament (MP), doctor, or solicitor to write to an agency about a particular matter. The person impliedly consents to the agency replying, including with any personal information about the person, to the MP, doctor, or solicitor.

    The Privacy Commissioner has released guidelines for Commonwealth agencies providing personal information to MPs. They are available in the Federal Privacy Handbook (loose-leaf service) or from the Privacy Hotline: 1300 363 992
     
     

    * A person who sends a letter of complaint to an agency copies the letter to their representative in the matter. The person may be taken to impliedly consent to the agency disclosing relevant personal information to the representative.

    Note these points about implied consent:
     
     

    * An agency should not normally assume that the person the information is about has consented to a use or disclosure simply because they have not objected.

     * An agency does not establish implied consent by showing that, if the person the information is about knew of the use or disclosure and the benefits it would bring them, they would probably consent to it.

    * An agency must not assume that the person the information is about has consented to a use or disclosure _ just because the use or disclosure seems advantageous to that person.

     * An agency must not assume that a person consents to the disclosure of their personal information to their spouse or family members. The agency can only disclose the personal information to these people if the person the information is about consents to the disclosure. Although in many cases a person may approve of a disclosure to a requesting spouse or family member, this is not always so.

    For example: An agency should be especially careful when a couple is going through divorce or separation. In this situation, disclosing information about one party to the other may constitute a very serious breach of privacy. A number of these types of cases have been the subject of formal complaints to the Privacy Commissioner.
     
     

    * The more sensitive the personal information, the stronger the case for obtaining express consent. Sensitive personal information may be used or disclosed on the basis of implied consent, but only if the implication is unambiguous.

     * It is dangerous for an agency to assume how a particular person may view a set of circumstances:

    For example:

    * If a person appeals to an agency that handles complaints, that agency should not assume that the person would consent to it disclosing personal information to the agency's State or Territory counterparts. The agency must check with the person to see if this use or disclosure is acceptable.

     * An agency should not assume that because an applicant for a particular benefit consents to their referee knowing some personal information about them, they consent to all related information being disclosed to the referee. An agency can only assume a person consents to the extent that there is conclusive evidence of consent.

    How to obtain express consent

    What is the best evidence of genuine consent?
    The best evidence of genuine consent is given when a person has to do something deliberate to indicate they consent (for example, write a letter, tick a consent box or sign a statement saying they consent).
     
     

    A clearly worded letter of consent signed by the person the information is about is a good way to get consent.
     
     

    If an agency is using a form to get consent it should make it as easy as possible for the person to exercise their choice about whether or not to consent. The agency can use:

    * a consent box that is ticked to show consent or left blank to show no consent, and a single signature space at the foot of the form that applies to the consent box and other material in the form. This approach is usually feasible.

    Here is a text for a consent box that the Privacy Commissioner would regard as providing adequate assurance of informed consent:
     
     
    If you consent, we can advise the Department of X, Y and Z of your new level of benefits. This will ensure that the Department does not make any overpayment to you (which you would have to pay back later).

     We can only do this if you consent. Do you consent? (please tick one box only)

    No ®

    Yes ®

    * no consent box, but a separate signature space for consent. This is especially desirable for more sensitive personal information

    Obtaining consent at the time personal information is obtained

    An agency should obtain any necessary consent from the person the information is about, at the time it obtains the information. If this is not possible (for example, if the program being administered changes in some way that requires a new consent) an agency may seek consent during routine contact with the person the information is about, such as billing.
     
     

    Oral consent may be acceptable in some circumstances
     
     

    Written consent is the best evidence of express consent because what the person has consented to is more likely to be clear. But an oral consent may be an acceptable form of express consent if:
     
     

    * an officer of the agency hears the consent personally and makes a signed record of it (because it is difficult to establish that an oral consent has been given if there is no record of it), and

     * the agency is satisfied that the person giving the oral consent is the person the information is about.

    An agency should have a policy about the types of uses and disclosures for which it will accept oral consent, and the types for which it requires written consent.

    17 Who must consent, and who must obtain that consent?
    Who must consent to the use or disclosure?


    The individual concerned must consent

    The individual concerned must consent

    The "individual concerned" is the person who is the subject of the personal information that is to be used or disclosed. Normally, this is the person who must consent to the use or disclosure.
     
     
    Consent by third parties
    Sometimes a third party (for example, a parent or guardian) may consent to a use or disclosure on behalf of the person the information is about _ but only if the person the information is about is not able to consent themselves.

    For example: the person the information is about may be a young child, or a person with a disability or condition that prevents them consenting.

    If someone under 18 years of age is sufficiently old and mature to consent on their own behalf, it may not be appropriate to rely on a consent given by another person.
     
     

    Sometimes legislation may say that a third party can consent on behalf of the person the information is about.
     
     

    In deciding if it should rely on consent from a third party, an agency should consider:

    * the legal situation

     * the interests of the child or person the information is about.

    The agency should not assume that a third party needs to consent on behalf of the person in all cases, just because it was appropriate in one case.
     
     

    What if the information is about more than one person?

    If a single piece of information constitutes personal information about more than one person, all of those people must consent to the use or disclosure of that piece of information.
     
     

    For example: if an agency holds the information that A and B lived in a marriage-like relationship for a particular period, that is personal information about both A and B. If the agency wanted to use or disclose that information under exceptions 10.1(a) or 11.1(b), it would have to obtain consent from both A and B.
     
     

    Disclosing to representatives of the person the information is about

    If the person the information is about consents, an agency may disclose their personal information to that person's representative (for example, their lawyer, tax agent, or Member of Parliament, or their representative from a welfare agency.)
     
     

    An agency must make sure the person is truly a representative
    An agency must make sure that the person the information is about truly has consented to it disclosing the personal information to the representative. The best evidence of consent is a clear written consent from the person the information is about. The more sensitive the personal information, the stronger the case for requiring written consent.

    An agency must verify the identity and authority of apparent representatives. If the person the information is about has not given a signed authority, the agency may rely on other evidence that shows the apparent representative is a true representative. The agency must judge what evidence is adequate in this situation. Evidence may include the agency's previous contact with a representative.An agency should have a clear policy on when staff may disclose personal information to an apparent representative.

    An agency must only disclose the information consented to

    An agency should make sure it only discloses the information that the person the information is about consents to _ that is, personal information that the client could reasonably expect the agency would give to their representative.
     
     

    For example:

    * if a lawyer is representing a person in a complaint against an agency, the agency can assume that the person has consented to it disclosing to the lawyer personal information about the complaint itself. The agency cannot assume that the person consents to it disclosing other personal information, like the history of the person's relationship with the agency.
     
     

    * a person may give someone a power of attorney concerning particular matters only.

    An agency should have a clear policy on the type and amount of information that it can disclose in different situations.
     
     

    Frequent dealings with representatives
     
     

    If an agency often deals with representatives, it should consider asking all new clients to identify the people to whom their personal information may be disclosed.
     
     

    Obtaining consent to the disclosure if disclosing to a third party

    If a third party is asking the agency to disclose personal information, it is usually the agency (not the third party) that must obtain the consent to that disclosure from the person the information is about.
     
     

    This is because the disclosing agency is responsible for making sure that the person the information is about consents to the disclosure, within exception 11.1(b). Although the agency can accept evidence from the third party that this is so, the safest course for the agency is to obtain the person's consent itself.
     
     

    Exception 11.1(a) - aware the disclosure is usual practice

    What are the guidelines on exception 11.1(a)?

    Guideline 18 gives the text of exception 11.1(a)

    Guideline 19 explains when a person is "reasonably likely to have been aware"

    Guideline 20 explains when a person is "reasonably likely to have been made aware under IPP 2"

    Guideline 21 tells you when the person needs to be aware that the disclosure is usual practice

    Guideline 22 explains "usually passed on"

    Guideline 23 explains "information of that kind"

    Guideline 24 explains "that person, body, or agency"

    18 What does exception 11.1(a) say?
    The text of exception 11.1(a) is:
     
     

    ... [unless] the individual concerned is reasonably likely to have been aware, or made aware under principle 2, that information of that kind is usually passed to that person, body or agency.
     
     

    Meaning of exception 11.1(a)

    Note: this exception applies only to disclosures.
     
     

    Exception 11.1(a) allows an agency to disclose personal information to someone other than the person the information is about, or to an organisation or agency, if:

    * at the relevant time (guideline 21)

     * the person the information is about is reasonably likely:

     * to have been aware (guideline 19), or

     * to have been made aware under IPP 2 (guideline 20)

     * that the agency usually discloses (guideline 22)

     * that kind of information (guideline 23)

    * to the person, organisation, or agency, to whom it is to be disclosed (guideline 24).

    The test is what is reasonably likely, not what is actually so
    The test is whether the person the information is about is reasonably likely to have been aware, or made aware under IPP 2 - not whether they actually have been aware or made aware. A person may be reasonably likely to be aware even if actually they are not aware.
     
     

    19 When is a person "reasonably likely to have been aware"?

    Factors to take into account
     
     

    The disclosing agency must be able to explain why it thought the person was reasonably likely to have been aware. In practice, the agency must work this out case by case. In doing so, it should take into account:
     
     

    * the relationship that the person the information is about has with the agency

    For example: if the person the information is about asks a welfare agency to arrange for another agency to provide them with a service, that person is reasonably likely to be aware that the welfare agency will pass relevant personal information to that other agency.
     
     

    * the occupation of the person the information is about

     * the life experience of the person the information is about

    For example: a public servant of long standing is reasonably likely to be aware of routine flows of personnel information. For example, that their personnel file follows them when they transfer to another agency.
     
     

    * the previous actions of the person the information is about.

    For example: the person may have written a letter or had other contact with the agency that indicates they are aware of a usual disclosure practice.
     
     

    Do not assume too much about what people are likely to be aware of
     
     

    As a general rule, it is important not to assume too much about what people are likely to be aware of. Most people know little about the mechanics of Commonwealth administration.

    An agency might find it useful to consult with its client groups to find out what can reasonably be assumed about the knowledge of a group as a whole.

    When it may be obvious or common knowledge that a disclosure is usual
     
     

    A person is considered to be reasonably likely to have been aware that a particular disclosure is usual if it is obvious or common knowledge that it is usual.
     
     

    For example:
     
     

    * a person involved in administering a government program is reasonably likely to be aware of disclosures that are an ordinary part of the functioning of the program. But a member of the general public is not reasonably likely to be aware of much about the ordinary functioning of a program, especially since this changes with changes in policy, technology, agency responsibilities and so on.
     
     

    * a person who complains publicly about an agency in relation to their circumstances (for example, to the media) is considered to be reasonably likely to be aware that the agency may respond publicly - and in a way that reveals personal information relevant to the issues they have raised.
     
     

    * a person who sends a letter to the wrong Minister is reasonably likely to be aware that the letter will be forwarded to the Minister who has responsibility for the subject of the letter.

    20 When is a person "reasonably likely to have been made aware under IPP 2"?

    For a person to be "reasonably likely to have been made aware" under IPP 2, they must have been given a valid IPP 2 notice.

    See guideline 12 of the Plain English Guidelines to IPPs 1-3 to find out what constitutes a valid IPP 2 notice. These guidelines are available on the Commonwealth Managers' Toolbox (CD ROM).
     
     

    21 When must the person be aware or have been made aware?

    When must the person "have been aware"?

    If the agency is relying on this part of exception 11.1(a), it must show that the person the information is about is reasonably likely to be aware that the disclosure is usual practice at the time of the disclosure.
     
     
    When must the person "have been made aware under IPP 2"?
    If the agency is relying on this part of exception 11.1(a), it must have given the person the information is about a valid IPP 2 notice at the time they provided the personal information - or, if that is impractical, as soon as practical afterwards.
     
     

    If an agency wants to use a new disclosure practice that it has not told people about in its IPP 2 notices, then it should rely on the "consent" exception in IPP 11.1(b), or the "required or authorised by law" exception in IPP 11.1(d).
     
     

    22 Meaning of "usually passed on"
    For exception 11.1(a) to apply, the person the information is about must be reasonably likely to have been aware, or have been made aware, that the personal information they give the agency is of a kind that the agency "usually passes on". This requirement is discussed in more detail in the Plain English Guidelines to IPPs 1-3, guideline 13.

    In summary, an agency "usually passes on" personal information to another body if it is the agency's normal practice to disclose some or all of that type of personal information to that body. So, an agency "usually passes on" personal information to another body if:
     
     

    * it is the agency's normal practice to disclose all of that type of personal information to that body, or

     * the agency discloses only some of that type of personal information to that body but it is its normal practice to do so.

    "Usually passing on" does not include disclosing information only in exceptional situations.
     
     

    For example: Information is not normally considered to be "usually passed on" if it is given to police in response to a search warrant, or to a court in response to a subpoena.
     
     

    23 Meaning of "information of that kind"

    An agency should only disclose information that the person the information is about could reasonably be expected to be aware would be disclosed.
     
     

    If the person is made aware through a valid IPP 2 notice, the "information of that kind" requirement is usually satisfied because a valid IPP 2 notice usually sets out clearly which information obtained is usually disclosed.

    See guideline 12 of the Plain English Guidelines to IPPs 1-3 to find out what constitutes a valid IPP 2 notice. These guidelines are available on the Commonwealth Managers' Toolbox (CD-ROM).
     
     

    If an agency obtains personal information from a person in a less structured way (for example, through a wide-ranging interview with them), it should tell that person clearly:
     
     

    * what kind of personal information it usually discloses

    For example: the agency could say that it may disclose to another body information that identifies people and information on the level of benefits that people receive.

    * what sort of personal information (if any) it will not disclose.

    24 Meaning of "that person, body, or agency"
    An agency must tell the person the information is about, to whom it usually discloses that kind of personal information. The agency must do this as clearly and specifically as possible. This requirement is satisfied when the person is aware of the precise identity of that "person, body, or agency". So the agency should try to name the "person, body, or agency" whenever possible.
     
     

    But 11.1(a) may sometimes apply even if the agency does not tell the person the information is about, the specific name of the "person, body, or agency".

    For example: if the agency intends disclosing the personal information to a number of bodies of the same type, it need only tell the person the type of body involved (for example, State Education Departments).
     
     

    What if an agency changes its name?
    If a person is told that their personal information may be disclosed to a specific agency which later changes its name (for example, because of a change in ministerial arrangements), a disclosure to the agency under its new name still falls within exception 11.1(a) if the purpose for disclosing the information is unchanged.
     
     
    What if an agency transfers its function?
    If a person is told that their personal information may be disclosed to a specific agency, and that agency later transfers the function (that gives rise to the disclosure practice) to:
     
     

    * a new agency - then a disclosure to the new agency may still fall within exception 11.1(a) if:

    - the purpose for disclosing the personal information to the new agency is exactly the same as for the old agency, and

     - the new agency uses the personal information for no other purpose.
     
     

    For example: If an agency tells the person the information is about that their personal information may be disclosed to the Wombat Tunnels Disputes Board, but wombat tunnel disputes are now handled by a unit in the Native Animal Agency (NAA), exception 11.1(a) may apply to a disclosure to the NAA. But NAA must use the personal information for the sole purpose of resolving wombat tunnel disputes.
     
     

    * a state government body or a private organisation _ then the disclosing agency should rely on the "consent" exception in IPP 11.1(b) or the "required or authorised by law" exception in 11.1(d).
     
     

    Exceptions 10.1(b) and 11.1(c) - threat to life or health

    What are the guidelines on exceptions 10.1(b) and 11.1(c)?

    Guideline 25 gives the text of exceptions 10.1(b) and 11.1(c)

    Guideline 26 explains what "reasonable grounds" are

    Guideline 27 explains "necessary to prevent or lessen"

    Guideline 28 explains what a "serious and imminent threat to life or health" is

    Guideline 29 tells you whose life or health must be threatened

    25 What do exceptions 10.1(b) and 11.1(c) say?

    The text of exception 10.1(b) is:
     
     

    ... [unless] the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person
     
     

    The text of exception 11.1(c) is:
     
     

    ... [unless] the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person
     
     

    Meaning of exceptions 10.1(b) and 11.1(c)

    Exception 10.1(b) allows an agency to use personal information if:
     
     

    * it reasonably believes (guideline 26)

     * that this is necessary to prevent or lessen (guideline 27)

     * the threat of death or serious injury (guideline 28)

     * to the person the information is about, or some other person (guideline 29).

    * The threat must be serious and about to happen (guideline 28).

    Exception 11.1(c) allows an agency to disclose personal information in the same circumstances.

    Only use these exceptions in an emergency

    Only use these exceptions in an emergency, when someone is at serious risk that demands immediate action.

    For example: if an outbreak of typhoid is connected with contaminated food on an aeroplane, immediate access to the latest available address information may be necessary:
     
     

    - to trace possible carriers of the disease, and

    - to enable preventive treatment to be given to people who may have come into contact with the carriers.
     
     

    An agency should not use these exceptions to justify any class of routine uses or disclosures, even if those uses or disclosures are aimed at reducing serious threats to life or health.
     
     

    26 What are "reasonable grounds"?

    Note that "reasonable grounds" for believing that something is the case does not mean that something must actually be the case. This is consistent with the common law on confidentiality, which allows a disclosure of personal information to appropriate authorities if:
     
     

    * honestly made, and

    * made in the reasonable belief that it is likely to relieve a serious and imminent threat to a person's life or health.

    The agency is responsible for deciding whether or not there are reasonable grounds for using or disclosing the personal information.

    An agency should have guidelines on:
     
     

    * the appropriate level of seniority in the agency at which decisions can be made about whether or not there are reasonable grounds, and

     * the range of matters that should be taken into account when deciding whether or not there are reasonable grounds. These include:

    - the source and reliability of the information that indicates a threat to life or health, and

     - the seriousness of the indicated threat.
     
     

    If there is a complaint or a privacy audit, the Privacy Commissioner (or ultimately, the Federal Court) must judge whether or not the grounds for using or disclosing the personal information are reasonable.
     
     

    27 Meaning of "necessary to prevent or lessen"

    The agency must reasonably believe that the use or disclosure is necessary to:
     
     

    * prevent the threat, or

    * lessen the threat to a noticeable extent. These exceptions are unlikely to apply to a use or disclosure that only marginally lessens a risk.

    An agency must consider if there are reasonable alternatives
     
     

    Using or disclosing personal information, even to prevent or lessen a serious threat to health or life, may significantly disadvantage the person the information is about. If this is the case, an agency should seriously consider if there are any effective alternatives available that do not have this consequence.
     
     

    28 What is a "serious and imminent threat to life or health"?

    "serious"

    The threat must be serious. What is a "serious threat" depends on the particular circumstances of each case.
     
     

    As a guideline:
     
     

    * an explicit threat of murder or assault is certainly a serious threat

     * a threat of infection with a life-threatening condition is usually a serious threat.

     * a specific threat of physical harm to a particular officer in an agency usually counts as a serious threat. (Abuse directed to staff in general does not usually count as a serious threat.)

    "imminent"

    This means that the threatened harm must be about to happen.

    "threat to life or health"

    The threat must be to an individual's body. So there must be a threat of bodily injury, illness, or death. Threats of contracting (or being denied effective treatment for) a serious medical condition are also threats to life or health.
     
     

    Threats to finances or reputation are not threats to life or health.
     
     

    29 Whose life or health must be threatened?

    The threat does not have to apply to an identifiable person. It may be a threat of serious harm to be randomly inflicted, so that it is impossible to tell who exactly the threat is directed at.
     
     

    Exceptions 10.1(c) and 11.1(d) - required or authorised by law

    What are the guidelines on exceptions 10.1(c) and 11.1(d)?

    Guideline 30 gives the text of exceptions 10.1(c) and 11.1(d)

    Guideline 31 discusses getting advice on when exceptions 10.1(c) and 11.1(d) apply

    Guideline 32 explains "law"

    Guideline 33 explains "required by or under law"

    Guideline 34 explains "authorised by or under law"

    Guideline 35 explains how to make sure you comply with exceptions 10.1(c) and 11.1(d)
     
     

    30 What do exceptions 10.1(c) and 11.1(d) say?

    The text of exception 10.1(c) is:
     
     

    [unless] ... use of the information for that other purpose is required or authorised by or under law
     
     

    The text of exception 11.1(d) is:
     
     

    [unless] ... the disclosure is required or authorised by or under law
     
     

    Meaning of exceptions 10.1(c) and 11.1(d)
     
     

    Exception 10.1(c) allows an agency to use personal information for any purpose that the law requires or authorises.
     
     

    Exception 11.1(d) allows an agency to disclose personal information if the law requires or authorises that disclosure.
     
     

    31 Getting advice on when exceptions 10.1(c) and 11.1(d) apply

    It is ultimately up to the agency to identify powers that may fall within this exception and, if necessary, to obtain appropriate legal advice.

    32 What is "law" for the purposes of 10.1(c) and 11.1(d)?

    What is "law"?

    Law means the law of the Commonwealth jurisdiction. For the purposes of exceptions 10.1(c) and 11.1(d), the following are "law"
     
     

    * Commonwealth Acts

     * Commonwealth delegated legislation

    For example: regulations, determinations.
     
     

    * documents with the force of Commonwealth law

    For example: industrial awards. These documents are not law, but are given the force of law by an Act of Parliament (for example, the Industrial Relations Act).

    * A document may have the "force of law" if:
     
     

    - it is an offence to breach its provisions, or

     - it is possible for a penalty to be lawfully imposed if its provisions are breached.
     
     

    * Disclosures to Commonwealth Ministers

    An agency subject to the direction of a Minister is normally bound to provide them with any information they request that is consistent with their ministerial responsibilities. But some agencies (especially independent statutory agencies) are subject to strict legislative duties of secrecy that may restrict disclosures of personal information to the Minister.
     
     

    For example:

    - Disclosure to any Minister of an individual taxpayer's affairs is limited by the Income Tax Assessment Act

    - Disclosure of information about complaints to the Ombudsman is limited by the Ombudsman Act.
     
     

    * Commonwealth Parliamentary privilege

    One aspect of Parliamentary privilege is that Parliament has the power to make people (and agencies) provide it with information. This power is not set out in the Australian Constitution or any Act of Parliament - but it is another source of lawful authority. With this power, Parliament can require people and agencies to answer Parliamentary questions and provide information to Parliamentary Committees. The Privacy Act does not stop an agencydisclosing personal information in either of these situations.

    However, if the Privacy Act would prohibit the disclosure were it not for Parliamentary privilege, it may be appropriate for the agency to approach its Minister with any concerns it has about disclosing the personal information. If the proposed disclosure is to a Committee, the Minister may be able to find out from the Committee if the disclosure is really necessary. Alternatively, the Minister may be able to arrange for the personal information to be disclosed confidentially. Most Committees (except Senate Estimates Committees) can receive confidential evidence.
     
     

    Parliamentary privilege does not apply to requests for information from agencies made by Members or Senators acting on behalf of their constituents.
     
     

    What is not "law"?
    Agencies often try to justify uses or disclosures on the basis that they are required or authorised by the following, but normally these are not acceptable:
     
     

    * state law

    State law does not usually bind a Commonwealth agency unless the Commonwealth has submitted to the state law by its own law.

    For example: in the service and execution of court process, the Commonwealth has bound itself to comply with properly issued process from state courts (writs, subpoenas, search warrants, etc).
     
     

    * common law (which consists of broad statements of legal principle and is made by judges - as opposed to statute law which is legislation made by Parliament)

    But, in some limited circumstances common law duties may arise. The Privacy Commissioner has occasionally accepted that a disclosure is necessary to satisfy requirements imposed by the common law principle of natural justice. But these cases are expected to arise rarely.

    * requests for personal information from foreign governments

    International requests for information are not usually for personal information. If they are, they only fall within exceptions 10.1(c) or 11.1(d) if there is a Commonwealth law that requires or authorises the agency to provide personal information in those circumstances. Similarly, treaty obligations only fall within these exceptions if there is a Commonwealth law that enacts that obligation.
     
     

    * Cabinet decisions

    Although Cabinet decisions very often set in motion the machinery for making laws, they are not themselves law.
     
     

    * inter-agency agreements and contracts between an agency and other parties

    But, the terms of these agreements and contracts may fall within exceptions 10.1(c) and

    11.1(d) if an Act of Parliament (or other legislation) specifically gives them the force of law.
     
     

    33 Meaning of "required by law"

    When does a law require an agency to use information for another purpose?
    A use for another purpose is usually required by law if legislation governing the using agency specifically requires it to use the personal information for a purpose different from that for which it is obtained.
     
     

    An agency may also be required by law to use personal information for another purpose if:
     
     

    * the agency is governed by legislation that requires it to perform a specific function, and

     * the only possible way the agency can perform that function is by using the particular information for a purpose different from that for which it was obtained.

    When does a law require an agency to disclose information?

    An agency is required by law to disclose personal information if a law governing it specifically requires it to disclose information.
     
     

    For example: a law may require an agency to reveal relevant personal information to a review tribunal or to a person seeking a review of a decision. The agency must comply with this law _ although if the law also gives the agency a discretion to withhold specific information, it should exercise that discretion where appropriate.
     
     

    An agency is also required by law to disclose personal information if:
     
     

    * legislation governing the agency to whom the information is to be disclosed (the "receiving agency") gives that agency power to require the specific information to be disclosed, and

     * the receiving agency exercises its power to require the disclosure by formally advising the disclosing agency that it is exercising that power (for example, by issuing a notice to the disclosing agency).

    34 Meaning of "authorised by law"

    There is a difference between "required by law" and "authorised by law". If an agency is required by law to use or disclose personal information, it has no choice in the matter. If an agency is authorised by law to use or disclose personal information, it has a discretion as to whether it will do so.

    When does a law authorise an agency to use information for another purpose?
     
     

    A use for another purpose is a use for a purpose different from that for which the personal information is obtained.
     
     

    A law authorises a use for another purpose if legislation governing the using agency clearly and specifically gives it a discretion to use the personal information for that purpose. The agency must be able to point to a specific relevant discretion in the legislation governing it.
     
     

    A use is not authorised (within 10.1(c)) by a section in an Act that gives a public office holder a general discretion "to do any thing necessary or convenient to be done for or in connection with" their functions.
     
     

    A use is also not authorised just because there is no law prohibiting it. If it were, almost any use would be authorised by law and IPP 10.1 would be ineffective.
     
     

    When does a law authorise an agency to disclose information?

    A law authorises a disclosure if legislation governing the disclosing agency clearly and specifically gives it a discretion to disclose the personal information. The disclosing agency must be able to point to a specific relevant discretion in the legislation governing it. It is not enough for the receiving agency to show that the personal information is relevant to its lawful functions.

    A disclosure is not authorised (within 11.1(d)) by a section in an Act that gives a public office holder a general discretion "to do any thing necessary or convenient to be done for or in connection with" their functions. This is the case whether the section applies to the disclosing or receiving agency.
     
     

    If legislation governing a disclosing agency prohibits a disclosure, the agency cannot make that disclosure - even if legislation governing the receiving agency gives it a general discretionary authority to obtain the personal information.
     
     

    A disclosure is not authorised by law just because there is no law prohibiting it. If it were, almost any disclosure would be authorised by law and IPP 11.1 would be ineffective.
     
     

    Can a law impliedly authorise a use or disclosure?

    A use or disclosure may fall within 10.1(c) or 11.1(d) if the law requires or authorises a function or activity that clearly and directly entails the use or disclosure. Here, the use or disclosure is impliedly authorised by law because it is essential to effect a scheme the law lays down.
     
     

    For example:
     
     

    * An industrial law says that a union must conduct an election for OHS representatives and that this must be an election of all people in the work place (not just union members) and that it must be by postal ballot. It is impossible for this law to be complied with unless the employing agency is able to tell the union the names and addresses of its non-union employees.
     
     

    * Where a function is wholly transferred from one agency to another, disclosures made by the old agency to the new agency are necessary to give effect to the new administrative arrangements. Note that this does not permit the new agency to use the personal information for a purpose other than that for which it is obtained.
     
     

    * If a law authorises an agency to obtain personal information, it authorises disclosures that are an inseparable part of obtaining it. For example, telling the person from whom you are obtaining information the name of the person about whom you are asking.

    35 Making sure the terms of 10.1(c) and 11.1(d) are met

    Identify the law that requires or authorises the use or disclosure
    Before an agency relies on these exceptions to use or disclose personal information, it should identify exactly what law requires or authorises that use or disclosure.
     
     
    A requesting agency should identify the law that supports its request
    If a disclosing agency is responding to a request from another agency or body, the requesting agency needs to be specific about what law authorises or requires the disclosure.
     
     

    The disclosing agency should insist that the requesting agency quote the relevant provision, or at least give a precise reference to the provision. Vague statements like "I am of the opinion that this information is required in the interests of the Commonwealth" are insufficient and a disclosing agency should not accept them.

    Develop guidelines or forms to deal with regular requests for disclosure
    Developing guidelines
     
     

    If an agency is regularly requested to disclosepersonal information, it should develop guidelines to deal with those requests.
     
     

    Matters these guidelines could set out include:
     
     

    * the sort of personal information that can be released in response to requests under commonly encountered laws, and

     * the sort of evidence needed to establish that a particular law does in fact authorise or require the agency to disclose the requested personal information.

    Developing forms

    If the volume of requests is great enough, it may be worth developing a form (or other formal recording system) to record the details of the request, including:
     
     

    * the name of the organisation and the individual in that organisation making the request

     * the date of the request and the disclosure

     * a specific reference to the legislation that requires or authorises the disclosure

     * the name of the person (or people) whose personal information is disclosed

     * a description of the personal information disclosed.

    Monitoring by senior officers
    An agency minimises the risk of breaching IPP 11.1 if a centrally located and appropriately senior officer oversees its disclosure practices under 11.1(d). This does not mean that the officer need examine every request. But the officer should be in a position to monitor the way that exception 11.1(d) is applied in practice within the agency.
     
     

    Exceptions 10.1(d) and 11.1(e) - law enforcement and revenue protection

    What are the guidelines on exceptions 10.1(d) and 11.1(e)?

    Guideline 36 gives the text of exceptions 10.1(d) and 11.1(e)

    Guideline 37 discusses when exceptions 10.1(d) and 11.1(e) may be applied

    Guideline 38 explains "reasonably necessary"

    Guideline 39 explains what "to enforce the criminal law" means

    Guideline 40 explains "to enforce a law imposing a pecuniary penalty" means

    Guideline 41 explains what "to protect the public revenue" means

    Guideline 42 directs you to the noting requirements of IPPs 10.2 and 11.2
     
     

    36 What do exceptions 10.1(d) and 11.1(e) say?

    The text of exception 10.1(d) is:
     
     

    ... [unless] use of the information for that other purpose is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue
     
     

    The text of exception 11.1(e) is:
     
     

    ... [unless] the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue
     
     

    Meaning of exceptions 10.1(d) and 11.1(e)

    Exception 10.1(d) allows an agency to use personal information if that is reasonably necessary:
     
     

    * to enforce the criminal law (guideline 39), or

    * to enforce a law imposing a financial penalty (guideline 40), or

     * to protect the public revenue (guideline 41).

    Exception 11.1(e) allows an agency to disclose personal information in the same circumstances.
     
     

    These exceptions should only apply to unusual uses or disclosures
     
     

    The Privacy Commissioner considers that an agency should rely on positive authorities given by specific law (see guidelines 30 to 35) wherever possible. So if an agency is governed by laws that purport to set out categories of all permitted uses and disclosures, it should not rely on exceptions 10.1(d) and 11.1(e) to expand those categories.
     
     

    37 When exceptions 10.1(d) and 11.1(e) may be applied

    An agency may want to apply IPP 10.1(d) or IPP 11.1(e) to three types of use or disclosure:
     
     

    Uses and disclosures for specific investigations

    These uses and disclosures may involve either:

    * an agency using or disclosing personal information about a particular person, reasonably believing it will safeguard one of the public purposes listed in the exceptions in a predictable way.

    For example: if a person is suspected of a crime, an agency may disclose information about that person to an investigating body.
     
     

    * an agency using or disclosing personal information about a class of people who share a particular characteristic that is significant to the investigation.
     
     

    For example: it may be reasonably necessary for enforcing the criminal law to identify all the people who own a particular type of car.
     
     

    The Privacy Commissioner has no concerns about applying exception 10.1(d) or 11.1(e) to this sort of activity.
     
     

    Uses and disclosures for intelligence gathering that does not relate to a specific crime

    In safeguarding one of the public purposes listed in the exceptions 10.1(d) or IPP 11.1(e), it may be reasonably necessary for an agency to use or disclose information about a range of people - even though none of them has yet been directly linked to an unlawful activity.For example: Investigators may suspect that a particular building is being used in drug trafficking and may think it reasonably necessary for enforcing the criminal law that they gather information about people associated with the building - even though they do not know what part, if any, those people play in the suspected activity.
     
     

    Uses and disclosures for data-matching to identify people of interest

    An agency may wish to use or disclose personal information about a large group of people so that the information can be analysed or compared with other information to identify a few people for further action or investigation.
     
     

    For example: a benefit paying agency may want to disclose personal information about its clients so it can be compared with tax records, in an attempt to identify people claiming benefits to which they are not entitled.
     
     

    The Privacy Commissioner believes that exceptions 10.1(d) and 11.1(e) should not be used to justify uses and disclosures for this sort of data matching. (In 1987, the heads of Commonwealth law enforcement agencies took a similar view.) This data-matching poses particular risks to the privacy of people's personal information because it usually involves disclosing personal information about large numbers of people, most of whom are of no interest to the agency conducting the matching.
     
     

    The Privacy Commissioner strongly encourages agencies to conduct data-matching only with express legislative authority, which would allow them to rely on exception 10.1(c) or 11.1(d).
     
     

    To supplement the IPPs as they apply to data-matching, the Privacy Commissioner has issued Guidelines for the use of data-matching in Commonwealth administration, available from his office. These guidelines are voluntary, but the Privacy Commissioner encourages agencies to follow them.
     
     

    38 Meaning of "reasonably necessary"

    To satisfy exceptions 10.1(d) and 11.1(e), the disclosing or usingagency must:
     
     

    * establish a link between the proposed use or disclosure and the relevant public interest (for example, enforcing the criminal law), and

     * establish that the link is strong enough to say that the use or disclosure is reasonably necessary to safeguard that public interest.

    Judging whether the link is strong enough will often be a difficult task and it is not possible to lay down rigid standards.

    As a general rule "reasonably necessary" implies that a use or disclosure need not be essential or critical to serving the public interest concerned (for example, enforcing the criminal law). But it must be more than just helpful, or of some assistance, or expedient. Within this range, an agency will inevitably need to exercise its own judgment about what is reasonably necessary.
     
     

    Factors relevant to "reasonably necessary"
     
     

    What is "reasonably necessary" depends on which of the three public interests specified in these exceptions is at issue. But in general, factors relevant to the judgement include:
     
     

    * whether there are other practical and less intrusive measures available

     * whether the potential harm to the public interest in question is sufficiently strong to outweigh the privacy interests of the people the information is about

     * (for disclosing agencies) who is to receive the personal information and whether and how the information is likely to be protected once it is disclosed.

    If an agency frequently discloses personal information to an organisation relying on 11.1(e), it may agree with the organisation that if specific criteria are satisfied in requesting the information, it will treat its disclosure as being "reasonably necessary".

    For example: the disclosing agency may require that the request: be made by an officer of a particular level, refer to a specific offence, refer to a specific case number, and be dated and signed.
     
     

    To find out more about managing the use and disclosure of personal information, see Some options for minimising risk of breaching the IPPs.
     
     

    An agency should make sure that all personal information it discloses is reasonably necessary to safeguard the public interest at stake. It should not disclose any extra personal information.
     
     

    Disclosures initiated by the disclosing agency
     
     

    Agencies most often rely on 11.1(e) for disclosures they make at the request of the receiving organisation. In this situation, the disclosing agency can ask the receiving organisation to explain why the disclosure is reasonably necessary.

    But if an agency wants to initiate a disclosure of personal information relying on exception 11.1(e), it is much harder for it to judge if the disclosure is reasonably necessary. An agency should have procedures to make sure that it voluntarily discloses personal information only if suitably senior staff decide that it is reasonably necessary.
     
     

    39 Meaning of "to enforce the criminal law"

    Meaning of "criminal law"

    "Criminal law" means any Commonwealth, State, or Territory law that makes particular behaviour an offence punishable by fine or imprisonment.
     
     

    Broadly speaking, "criminal law" encompasses those laws that make an act a crime, so that criminal proceedings can be taken. These proceedings are usually prosecuted by the police or Crown prosecutors. They are usually heard in criminal courts, and may result in the accused being convicted and punished by fine or imprisonment.
     
     

    Criminal law of non-Australian jurisdictions
     
     

    "Criminal law" may include the law of non-Australian jurisdictions if the Commonwealth agrees to it under the Mutual Assistance in Criminal Matters Act. But an agency may more appropriately seek to justify a use or disclosure to enforce this kind of law by using exception 10.1(c) or 11.1(d).
     
     

    Meaning of "to enforce" the criminal law

    "To enforce" the criminal law means:
     
     

    * the process of investigating crime and prosecuting criminals, and

     * gathering intelligence about crime to support the investigating and prosecuting functions of law enforcement agencies.

    Who can disclosures be made to?
     
     

    An agency should only disclose personal information that is reasonably necessary to enforce the criminal law, to:
     
     

    * an organisation that has statutory responsibilities for investigating or prosecuting criminal offences

     * a person or organisation that must be told the personal information so that they can help in the investigation or prosecution.

    Examples of permissible uses and disclosures
     
     

    These are examples of uses and disclosures that are reasonably necessary to enforce the criminal law, within exceptions 10.1(d) and 11.1(e):
     
     

    * An agency may disclose relevant personal information to a State Department of Corrective Services that is trying to decide where to imprison people convicted of criminal offences.

     * Police may disclose personal information - for example, the identity of an offender - if the disclosure is necessary for the criminal compensation system to function.

    40 Meaning of "to enforce a law imposing a pecuniary penalty"

    Exception 10.1(d) allows an agency to use personal information for another purpose, if that is reasonably necessary to enforce a law imposing a pecuniary penalty. Exception 11.1(e) allows an agency to disclose personal information in the same circumstances.

    Laws imposing pecuniary penalties are often referred to as "civil penalty" or "administrative penalty" provisions. They are laws that:
     
     

    * impose penalties for breaches of Commonwealth laws that are not prosecuted criminally

    For example: many offences under the Customs Act and offences under the Taxation Administration Act.

    Or
     
     

    * impose penalties as an administrative alternative to prosecution

    For example: the pecuniary penalty provisions under the Customs Act concerning false statements.

     These pecuniary penalties are recoverable as civil debts and so are distinguishable from fines imposed under the criminal law.
     
     

    The law must be either:
     
     

    * a Commonwealth law, or

     * a law of a State or Territory that the Commonwealth has formally agreed to enforce.

    "Law" includes regulations, directions and other delegated legislation.

    Who can disclosures be made to?
     
     

    The use or disclosure must be directly linked to enforcing the law imposing a pecuniary penalty. With a disclosure, the body to which the disclosure is made should be essential to investigating and taking action to enforce the law.
     
     

    41 Meaning of "to protect the public revenue"

    Exception 10.1(e) says that an agency may use personal information for another purpose if the use is reasonably necessary to protect the public revenue. Exception 11.1(e) says that an agency may disclose personal information in the same circumstances.
     
     

    "Public revenue" clearly means Commonwealth revenue (that is, taxes and similar charges). In some contexts, it may also include State and Territory revenue.
     
     

    "Protecting the public revenue" includes those activities of the Australian Taxation Office (and any other agency with the power to levy taxes or charges) that are directed to ensuring that lawful obligations are met by those subject to the taxes or charges. Routine collection of taxes, levies and charges is therefore covered, as is audit, investigatory and debt recovery activity directed at ensuring that taxation and similar obligations are met. Any prosecution activity related to tax offences would fall under the "criminal law" exception discussed in guideline 39.
     
     

    The Commissioner has acknowledged that "protecting the public revenue" also extends to some aspects of administering Commonwealth assistance and payment programs.
     
     

    Protecting the public revenue does not cover activities aimed at identifying and eliminating inefficient but lawful spending of public money. Such a broad interpretation would allow use and disclosure in almost any context that involves a public financial transaction, and would make IPPs 10.1 and 11.1 ineffective.
     
     

    42 IPPs 10.2 and 11.2 - Noting uses and disclosures

    IPPs 10.2 and 11.2 require an agency that uses or discloses personal information under 10.1(d) or 11.1(e), to note that use or disclosure on the record containing that information. Please read Information Privacy Principles 10.2 and 11.2 - noting uses and disclosures.
     
     

    Exception 10.1(e) - directly related purpose

    What are the guidelines on exception 10.1(e)?

    Guideline 43 gives the text of exception 10.1(e)

    Guideline 44 explains "directly related"

    Guideline 45 explains that the "purpose" for which personal information is obtained should be interpreted narrowly
     
     

    43 What does exception 10.1(e) say?

    The text of exception 10.1(e) is:
     
     

    ... [unless] the purpose for which the information is used is directly related to the purpose for which the information was obtained.
     
     

    Meaning of exception 10.1(e)

    Exception 10.1(e) allows an agency to use personal information for any purpose that is directly related to the purpose for which it originally obtained the information.
     
     

    This exception applies only to uses of personal information.

    Note: Sometimes providing personal information to third parties (for example, contractors) is treated as a use rather than a disclosure (see When is passing personal information outside the agency a use?
     
     

    44 Meaning of "directly related"

    "Directly" means that there needs to be a close relationship between the purpose of the use and the purpose for which the personal information is obtained in the first place.

    A directly related purpose is one which is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. If the related purpose is administrative, it must be one that people would reasonably expect to be associated with the original purpose.
     
     

    Here are some examples of uses of personal information that may be seen as directly related to the purpose for which that information is obtained:
     
     

    * An agency uses information obtained for the purpose of operating a program, for the purpose of monitoring, evaluating, auditing or managing that program.

     * An agency uses information obtained for the purpose of investigating complaints, for the purpose of conducting follow-up surveys and reporting to Parliamentary Committees.

    45 The original "purpose" for which information is obtained should be interpreted narrowly

    The "purpose" for which information is obtained should be interpreted narrowly. This is discussed in guideline 10. Guideline 10 also tells you how to work out the original purpose for obtaining the personal information.
     
     

    Information Privacy Principles 10.2 and 11.2 - noting uses and disclosures

    What are the guidelines on IPPs 10.2 and 11.2?

    Guideline 46 gives the text of IPP 10.2 and 11.2

    Guideline 47 tells you that the note should be made on or attached to the record, and explains what the note must address
     
     

    46 What do IPPs 10.2 and 11.2 say?

    The text of IPP 10.2 is:
     
     

    Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record keeper shall include in the record containing that information a note of that use.
     
     

    The text of IPP 11.2 is:
     
     

    Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record keeper shall include in the record containing that information a note of the disclosure.
     
     

    Meaning of IPPs 10.2 and 11.2

    IPP 10.2 says that when an agency uses personal information under exception 10.1(d), it must note that use on the record containing that information.
     
     

    IPP 10.2 seems to say that an agency must note all of its uses of personal information made to safeguard any of the three public interests in exception 10.1(d) _ even if the agency does not need to rely on 10.1(d). But the wording of IPP 10.2 clearly shows that it is to be read in the context of exception 10.1(d). So the Privacy Commissioner interprets the noting requirement as only applying to uses when an agency relies on this exception.

    IPP 11.2 says that when an agency discloses personal information under exception 11.1(e), it must note that disclosure on the record containing that information.

    The Commissioner recognises that disclosures of personal information pose a greater threat to privacy than using personal information, and that agencies should take greater care in noting disclosures. So, for disclosures made to safeguard any of the three public interests in IPP 11.2 , the Commissioner interprets the noting requirement in IPP 11.2 as applying:
     
     

    * always - if the agency is relying on 11.1(e), and

    * to the extent practical - if the agency if the agency is not relying on 11.1(e).

    47 The note should be made on, or attached to, the record

    Paper records
     
     

    Normally, the note should be made on, or attached to, the record containing the personal information. Only if this is impractical or undesirable should an agency rely on a separate log of uses and disclosures. If a log is used, the record must specifically refer to the log and explain how it can be accessed.
     
     

    Computer records
     
     

    If personal information is held on computer, the note should be linked, or refer, to the particular personal information that has been used or disclosed.
     
     

    A computer audit trail (that is, an electronic log showing who accesses a particular record when, and sometimes for what purpose) by itself may not satisfy the noting requirement of IPPs 10.2 and 11.2. It may not contain sufficient detail about the disclosure or it may be too hard to reconstruct the history of the record's use and disclosure.
     
     

    What the note must address
     
     

    The questions that the note must answer are:
     
     

    * has personal information in this record ever been used relying on exception 10.1(d) or disclosed relying on exception 11.1(e)?

     * if so, when, by whom, to whom (for disclosures), and for what purpose?
     
     

    An agency may wish to protect the notes from scrutiny by staff who routinely access the records _ but they must be accessible for audits or investigations by the Privacy Commissioner and for Freedom of Information (FOI) requests.

    Information Privacy Principle 11.3 - use and disclosure of disclosed information

    What are the guidelines on IPP 11.3?

    Guideline 48 gives the text of IPP 11.3

    Guideline 49 explains that the recipient may only use or disclose personal information for the purpose for which the disclosing agency gave it to them

    Guideline 50 discusses what the disclosing agency should do
     
     

    48 What does IPP 11.3 say?

    The text of IPP 11.3 is:
     
     

    A person, body or agency to whom personal information is disclosed under clause 1 of this principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.
     
     

    Meaning of IPP 11.3

    IPP 11.3 says that if an agency discloses personal information (however obtained) to any recipient, the recipient can only use or disclose that information for the purpose for which it was disclosed to them.
     
     

    For example: an agency that has received personal information from a compensation authority for the purpose of managing superannuation obligations is obliged by IPP 11.3 not to use or disclose that information for any other purpose.
     
     

    49 The recipient must only use or disclose the information for the purpose for which it is disclosed to them

    A "directly related" purpose is insufficient
     
     

    The recipient must use or disclose personal information for the same purpose for which it is disclosed to them, not a directly related one. For a discussion of the purpose for which personal information is obtained, please read Working out the particular purpose for which information is obtained.

    If an agency discloses personal information to another agency
     
     

    IPP 11.3 says that an agency that receives personal information from a disclosing agency must only use or disclose that information for the purpose for which it is disclosed _ even if one or more of the exceptions in IPP 10.1 or 11.1 would otherwise apply to the proposed use or disclosure.

    For example: Agency B receives personal information from agency A. If organisation C asks agency B to disclose the information for another purpose, agency B cannot disclose the information itself - even if it could apply one of the exceptions under IPP 11.1 to the disclosure. It may, however, refer organisation C to agency A, the original source of the information. Agency A can disclose to C if it can bring itself within one of the exceptions to IPP 11.1.
     
     

    50 What the disclosing agency should do

    The disclosing agency should take all reasonable steps to prevent the personal information being re-used or re-disclosed for purposes other than that for which the agency discloses it.

    These steps may be set out in contract clauses or in a memorandum of understanding between the disclosing agency and the recipient.

    An agency should use whatever contractual or administrative authority it has, to control inappropriate re-use or re-disclosure.
     
     

    Possible arrangements include:
     
     

    * requiring the receiving organisation to return or destroy the documents once the purpose for which the disclosure is made is completed

     * requiring the receiving organisation to securely retain the personal information

     * requiring the receiving organisation to impose appropriate restrictions on access and any further disclosures

     * informing the receiving organisation that these controls are required by Commonwealth law

     * informing the receiving organisation that their use or disclosure of the personal information is governed by IPP 11.3.