Draft Guidelines for APPs 6 – 11 released for consultation today
September 20, 2013 |
The Australian Privacy Commissioner has released its draft guidelines regarding APPs 6 – 11 for consultation. Consultation is open until 21 October 2013. They are found here.
I have extracted the draft guidelines below, absent indexes and footnotes.
Australian Privacy Principle 6 – use or disclosure of personal information
Key points
- APP 6 outlines when an APP entity may use or disclose personal information.
- An APP entity can only use or disclose personal information for the particular purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies.
- The exceptions include where:
- the individual has consented to a secondary use or disclosure
- the individual would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose
- the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order
- a permitted general situation exists in relation to the secondary use or disclosure
- the APP entity is an organisation and a permitted health situation exists in relation to the secondary use or disclosure
- the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or
- the APP entity is an agency (other than an enforcement body) and discloses biometric information or biometric templates to an enforcement body, and the disclosure is conducted in accordance with guidelines made by the Information Commissioner for the purposes of APP 6.3.
What does APP 6 say?
6.1 APP 6 outlines when an APP entity may use or disclose personal information. The intent is that an APP entity will generally use and disclose an individual’s personal information only in ways the individual would expect.
6.2 An APP entity that holds personal information about an individual can only use or disclose the information for the particular purpose for which it was collected (known as the ‘primary purpose’ of collection), unless an exception applies. Where an exception applies the entity may use or disclose personal information for another purpose (known as the ‘secondary purpose’). Exceptions include:
- the individual consented to a secondary use or disclosure (APP 6.1(a))
- the individual would reasonably expect the secondary use or disclosure, and that is related to the primary purpose of collection or, in the case of sensitive information, directly related to the primary purpose (APP 6.2(a))
- the secondary use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order (APP 6.2(b))
- a permitted general situation exists in relation to the secondary use or disclosure of the information by the APP entity (APP 6.2(c))
- the APP entity is an organisation and a permitted health situation exists in relation to the secondary use or disclosure of the information by the organisation (APP 6.2(d))
- the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (APP 6.2(e))
- the APP entity is an agency (other than an enforcement body) and discloses personal information that is biometric information or biometric templates to an enforcement body, and the disclosure is conducted in accordance with guidelines made by the Information Commissioner for the purposes of APP 6.3 (APP 6.3).
6.3 An APP entity may disclose personal information, other than sensitive information, to a related body corporate (s 13B(1)(b)).
6.4 APP 6 does not apply to the use or disclosure by an organisation of:
- personal information for the purpose of direct marketing (this is covered by APP 7), or
- government related identifiers (this is covered by APP 9) (APP 6.7).
‘Hold’, ‘use’, ‘disclose’ and ‘purpose’
6.5 Each of these key terms, used in APP 6 and other APPs, are discussed in more detail in Chapter B (Key concepts). Following is a brief analysis of the meaning of these terms in the context of APP 6.
‘Holds’
6.6 APP 6 regulates the use and disclosure of personal information that an APP entity ‘holds’. Section 6(1) provides that an APP entity holds personal information ‘if the entity has possession or control of a record that contains the personal information’.
6.7 The term ‘holds’ extends beyond physical possession of a record to include a record that an entity has the right or power to deal with. An example is a record of personal information stored on servers managed by a third party, where the APP entity has the right to deal with that information, such as by accessing and amending the information.
‘Use’
6.8 The term ‘use’ is not defined in the Privacy Act, and bears its normal dictionary meaning. An APP entity ‘uses’ information where personal information is handled, or an activity is undertaken with the information, within the entity. Examples include the APP entity:
- accessing and reading the personal information
- searching records that contain the information
- making a decision based on the information
- passing the information from one part of the entity to another.
‘Disclose’
6.9 The term ‘disclose’ is not defined in the Privacy Act, and bears its normal dictionary meaning. An APP entity ‘discloses’ personal information when it permits that information to become known outside the entity and releases it from its effective control. The release of the information may be a proactive release or publication, a release in response to a specific request, or an accidental release. Examples include where an APP entity:
- shares the personal information with another entity
- publishes the information on the internet so that it is accessible to another entity, whether intentionally or not, and whether or not the information is actually accessed by another entity
- reveals the information in the course of a conversation with a person outside the entity
- sends a document containing an individual’s personal information to someone other than the individual.
6.10 ‘Disclosure’ is a separate concept from:
- ‘unauthorised access’ which is addressed in APP 11. An APP entity is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information. Examples include unauthorised access following a cyber-attack or a theft, including where the third party then makes that information available to others outside the entity. However, where a third party gains unauthorised access, the APP entity may breach APP 11 if it did not take reasonable steps to protect the information from unauthorised access (see APP 11, Chapter 11)
- an individual’s right to access their personal information, which is addressed in APP 12 (see Chapter 12)
- ‘use’, which is discussed in paragraphs 6.8 to 6.9 above. APP 6 generally imposes the same obligations for uses and disclosures of personal information, and therefore this distinction is not relevant in interpreting this principle (except in relation to APP 6.3). However, the distinction is relevant to APP 8, which applies to the disclosure of personal information to an overseas recipient (see Chapter 8).
‘Purpose’ of collection
6.11 The purpose for which an APP entity collects personal information is known as the ‘primary purpose’ of collection. There will be a primary purpose of collection even if the entity has additional purposes for which it collects personal information.
6.12 The primary purpose of collection should be determined on a case-by-case basis and will depend on the circumstances. However in general, ‘primary purpose’ should be construed narrowly. This ensures that individuals understand and retain some control over how their personal information is used and disclosed.
6.13 ‘Purpose’ is discussed in more detail in Chapter B (Key concepts).
Use or disclosure for a secondary purpose
6.14 A ‘secondary purpose’ is any purpose other than the primary purpose for which the APP entity collected the personal information.
6.15 A disclosure to an unintended recipient will generally be a disclosure for a secondary purpose, even if the APP entity intended to disclose the personal information to a different recipient for the primary purpose of collection.
6.16 The circumstances where an entity may use or disclose personal information for a secondary purpose are outlined below.
Using or disclosing sensitive information with the individual’s consent
6.17 APP 6.1(a) permits an APP entity to use or disclose personal information for a secondary purpose where the individual has consented to the use or disclosure.
6.18 Consent is defined in s 6(1) as ‘express consent or implied consent’ and is discussed generally in Chapter B (Key concepts). The four key elements of consent are:
- it must be provided voluntarily
- the individual must be adequately informed
- it must be current and specific, and
- the individual must have the capacity to understand and communicate their consent.
Using or disclosing personal information where reasonably expected by the individual
6.19 APP 6.2(a) permits an APP entity to use or disclose personal information for a secondary purpose if the individual would reasonably expect the entity to use or disclose the information for that secondary purpose, and:
- if the information is sensitive information – the secondary purpose is directly related to the primary purpose of collection, or
- if the information is not sensitive information – the secondary purpose is related to the primary purpose of collection.
6.20 This exception creates a two-limb test which focuses both on the reasonable expectations of the individual, and the relationship between the primary and secondary purposes.
Reasonably expect
6.21 An APP entity should assess the reasonable expectations of an individual from the perspective of an individual with no special knowledge of the industry or activity involved. The expectations of the actual individual involved should be considered by the entity, but they are not determinative.
6.22 An APP entity should consider whether an individual would reasonably expect it to use or disclose part of a document or file for a secondary purpose, rather than the whole document or file. The entity should only disclose the minimum amount of personal information sufficient for the secondary purpose. For example, an individual may not reasonably expect an APP entity that is investigating their complaint against a contractor to disclose the individual’s residential address and home contact details to the contractor as part of its investigation. The individual would reasonably expect the entity to only give the contractor the minimum amount of personal information necessary to enable them to respond to the complaint.
6.23 Examples of where an individual may reasonably expect their personal information to be used or disclosed for a secondary purpose include where:
- the individual makes adverse comments in the media about the way an APP entity has treated them. In these circumstances, it may be reasonable to expect the entity to respond publicly to these comments in a way that reveals personal information specifically relevant to the issues that the individual has raised.
- an agency collects an individual’s queries, views or representations on a particular issue and refers these to another appropriate entity within parliament or government.
- an APP entity’s APP Privacy Policy clearly explains the purposes (including the particular secondary purpose) for which the entity collects, holds, uses and/or discloses personal information in accordance with APP 1 (see Chapter 1), and the entity has notified the individual of the purpose of collection and the purpose of its usual disclosures, in accordance with APP 5.1 (see Chapter 5).
Relationship between the primary and secondary purpose
Related secondary purpose
6.24 For the use or disclosure of personal information (other than sensitive information), to be ‘related’ to the primary purpose of collection, the secondary purpose must be connected to or associated with the primary purpose. A secondary purpose is not related (or directly related) to the primary purpose where there is only a tenuous link.
6.25 Examples of where a secondary purpose is related to the primary purpose of collection include:
- an organisation collects personal information about an individual for the primary purpose of collecting a debt. A law firm, acting on behalf of that organisation in relation to the debt collection, contacts the individual’s neighbour and seeks information from the neighbour about the individual’s whereabouts (but does not disclose any specific information about the debt). This disclosure to the neighbour, for the secondary purpose of locating the individual, is related to the primary purpose of debt collection and would be within the individual’s reasonable expectations
- an agency collects personal information to include in an employee’s personnel file for the primary purpose of administering that individual’s employment. It then uses this information as part of an investigation into complaints by the individual about working conditions. In these circumstances, the use for the secondary purpose of investigating a complaint in the workplace is related to the primary purpose of collection, and would be within the individual’s reasonable expectations
- an APP entity collects personal information when an individual purchases a subscription from the entity, for the purpose of providing that subscription service. The entity later uses that information to notify the individual of a change of the entity’s address. In these circumstances, using the individual’s contact details to notify them of the change of address is related to the primary purpose of providing the subscription service, and would be within the individual’s reasonable expectations.
Directly related secondary purpose
6.26 For the use or disclosure of sensitive information, the secondary purpose must be ‘directly related’ to the primary purpose of collection. A directly related purpose is one which is closely associated with the primary purpose, even if it is not strictly necessary to achieve that primary purpose. This requirement for a direct relationship recognises that the use and disclosure of sensitive information can have serious ramifications for the individual concerned or those associated with the individual, including humiliation, embarrassment or loss of dignity.
6.27 Following is an example of where a secondary purpose is directly related to the primary purpose of collection: a health service provider collects health information about an individual for the purpose of providing treatment, and then decides, for ethical and therapeutic reasons, that they cannot treat the individual. The health service provider then advises their clinic manager of the individual’s need for treatment, their personal refusal to treat the complainant and the reasons for this refusal. This disclosure to the clinic manager is directly related to the purpose for which the information was collected, and would be within the individual’s reasonable expectations.
Using or disclosing personal information as required or authorised by law
6.28 An APP entity may use or disclose personal information for a secondary purpose if the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order (APP 6.2(b)).
6.29 The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts).
6.30 Examples of where an APP entity may be required or authorised by law to use or disclose personal information include where:
- a warrant, order or notice issued by a court requires the entity to provide information, or produce records or documents that are held by the entity
- the entity is subject to statutory requirements to report certain matters to agencies or enforcement bodies, for example specific financial transactions, notifiable diseases and suspected cases of child abuse
- laws apply to the entity, which clearly and specifically give the entity the authority to use or disclose the personal information, for example giving a record to the Private Health Insurance Ombudsman in certain circumstances and certain disclosures to trustees conducting investigations under the Bankruptcy Act 1966.This may also include uses or disclosures of personal information required or authorised under the Privacy Act, for example the steps that an APP entity takes to de-identify personal information to comply with APP 11.
Using or disclosing personal information where a permitted general situation exists
6.31 An APP entity may use or disclose personal information for a secondary purpose if a ‘permitted general situation’ exists in relation to the use or disclosure of the information by the entity (APP 6.2(e)).
6.32 Section 16A lists seven permitted general situations (two of which only apply to agencies). The seven situations are set out below, and are discussed in Chapter C (Permitted general situations), including the meaning of relevant terms.
Lessening or preventing a serious threat to life, health or safety
6.33A An APP entity may use or disclose personal information for a secondary purpose where:
- the entity reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and
- it is unreasonable or impracticable to obtain consent (s 16A(1)(item 1)).
6.33 Examples of where this exception might apply include:
- where an individual is seriously injured while interstate and, due to their injuries, cannot give informed consent, the individual’s usual health service provider may be able to disclose personal information about the individual to another health service provider who is treating the individual’s serious injuries.
- where an APP entity that provides child protection services has evidence that a child is at risk of physical or sexual abuse by their parent, the entity may be able to disclose the personal information of the parent to another child protection service.
Taking appropriate action in relation to suspected unlawful activity or serious misconduct
6.34 An APP entity may use or disclose personal information for a secondary purpose where the entity:
- has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and
- reasonably believes that the collection use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter (s 16A(1)(item 2)).
6.35 Examples of where this exception might apply are the use of personal information by:
- an APP entity that is investigating suspected fraud within the entity
- an agency that is investigating a suspected serious breach of the Australian Public Service Code of Conduct.
Locating a missing person
6.36 An APP entity may use or disclose personal information for a secondary purpose where the entity:
- reasonably believes that the use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing, and
- the use or disclosure complies with rules made by the Commissioner under s 16A(2) of the Privacy Act (s 16A(1)(item 3)).
Reasonably necessary for establishing, exercising or defending a legal or equitable claim
6.37 An APP entity may use or disclose personal information for a secondary purpose where the use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim (s 16A(1)(item 4)).
6.38 An example of where this exception might apply is where an individual has made a claim under their life insurance policy and the insurer is preparing to dispute the claim. The insurer may use or disclose personal information about the individual to establish its defence of the claim.
Reasonably necessary for a confidential alternative dispute resolution processes
6.39 An APP entity may use or disclose personal information for a secondary purpose where the use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution (ADR) process (s 16A(1)(item 5)).
6.40 An example of where this exception might apply is where an APP entity discloses their version of events during a confidential alternative dispute resolution process, where that account includes the disclosure of personal information about an individual who is directly or indirectly involved in the dispute.
Necessary for a diplomatic or consular function or activity
6.41 An agency may use or disclose personal information for a secondary purpose where the agency reasonably believes that the use or disclosure is necessary for the agency’s diplomatic or consular functions or activities (s 16A(1)(item 6)).
6.42 An example of where this exception might apply is where an agency with diplomatic or consular functions uses or discloses personal information to grant a diplomatic visa to a foreign national accredited as a member of the diplomatic staff of a mission to Australia.
Necessary for certain Defence Force activities outside Australia
6.43 The Defence Force may use or disclose personal information for a secondary purpose where it reasonably believes that the use or disclosure is necessary for activities specified in s 16A, occurring outside Australia and the external Territories (s 16A(1)(item 7)). These activities include warlike operations, peacekeeping, humanitarian assistance and disaster relief.
6.44 An example of where this exception might apply is where the Defence Force uses and discloses personal information about an enemy or other hostile adversary in order to support Defence Force military operations.
Using or disclosing personal information where a permitted health situation exists
6.45 An organisation may use or disclose personal information if a ‘permitted health situation’ exists in relation to the use or disclosure (APP 6.2(d)). This exception does not apply to agencies.
6.46 Section 16B lists three permitted health situations that relate to the use or disclosure of health information or genetic information by an organisation. The three situations are set out below, and are discussed in Chapter D (Permitted health situations), including the meaning of relevant terms.
Conducting research
6.47 An organisation may use or disclose health information about an individual for a secondary purpose if the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:
- it is impracticable to obtain the individual’s consent to the use or disclosure
- the use or disclosure is conducted in accordance with guidelines approved under s 95A of the Privacy Act, and
- in the case of disclosure – the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information (s 16B(3)).
6.48 An example of where this exception might apply is where an organisation discloses health information to a researcher who is conducting public health research in circumstances where the age of the information makes it impracticable to obtain consent. The disclosing organisation should have a written agreement with the researcher which requires the researcher not to disclose the health information, or any personal information that is derived from that health information. The disclosure must be carried out in accordance with guidelines approved under s 95A of the Privacy Act.
Necessary to prevent a serious threat to the life, health or safety of a genetic relative
6.49 An organisation may use or disclose genetic information about an individual for a secondary purpose if:
- the organisation has obtained the information in the course of providing a health service to the individual
- the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the individual
- the use or disclosure is conducted in accordance with guidelines approved under s 95AA of the Privacy Act, and
- in the case of disclosure – the recipient of the information is a genetic relative of the individual (s 16B(4)).
6.50 An example of where this exception might apply is:
- in the course of providing a health service, an organisation obtains information that a patient has a pathogenic mutation in the Huntington disease gene, and
- the individual refuses to consent to the organisation disclosing any information to their genetic relatives, even after the individual has participated in discussions and counselling, and received information about the implications of the diagnosis for the individual’s genetic relatives.
- Despite this refusal, the organisation may disclose the genetic information to genetic relatives under this exception, providing any disclosure is in accordance with guidelines approved under s95AA of the Privacy Act.
Disclosure to a responsible person for the individual
6.52 An organisation may disclose health information about an individual for a secondary purpose if:
- the organisation provides a health service to the individual
- the recipient of the information is a ‘responsible person’ for the individual
- the individual is either physically or legally incapable of giving consent to the disclosure, or physically cannot communicate consent to the disclosure
- the individual providing the health service (the ‘carer’) is satisfied that either the disclosure is necessary to provide appropriate care or treatment of the individual, or the disclosure is made for compassionate reasons
- the disclosure is not contrary to any wish expressed by the individual before the individual became unable to give or communicate consent of which the carer is aware or of which the carer could reasonably be expected to be aware
- the disclosure is limited to the extent reasonable and necessary for providing appropriate care or fulfilling compassionate reasons (s 16B(5)).
6.53 An example of where this exception might apply is where an individual who cannot give consent is released from hospital into the care of family members. The health service provider (referred to in this exception as the ‘carer’) discloses health information to the family members to enable them to monitor the individual’s progress and administer medication. In these circumstances, the exception would apply where the carer is satisfied that the disclosure is necessary to provide appropriate care for the individual. The disclosure must be limited to the extent reasonable and necessary to provide appropriate care.
6.54 Another example is where a carer discloses health information to an unconscious patient’s family members about the patient’s condition. In these circumstances, the exception would apply where the carer is satisfied that the disclosure is necessary for compassionate reasons. The disclosure must be limited to the extent reasonable and necessary for these reasons.
Using or disclosing personal information for an enforcement related activity
6.55 An APP entity may use or disclose sensitive information for a secondary purpose where the entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (APP 6.2(e)).
6.56 ‘Enforcement body’ is defined in s 6(1) and is discussed in Chapter B (Key Concepts). The list includes Commonwealth, State and Territory bodies that are responsible for policy, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions. Examples of Commonwealth enforcement bodies are the Australian Federal Police, Australian Crime Commission, Customs, the Integrity Commissioner,[13] Australian Prudential Regulation Authority and the Australian Securities and Investments Commission.
6.57 ‘Enforcement related activities’ is also defined in s 6(1) and is discussed in Chapter B (Key concepts). Enforcement related activities include the prevention, detection, investigation and prosecution or punishment of criminal offences and intelligence gathering activities.
Reasonable belief
6.58 To form a reasonable belief, an APP entity must make a judgment about whether the use or disclosure is reasonably necessary in the circumstances. It must have a reasonable basis for that judgment. ‘Reasonable belief’ is discussed in more detail in Chapter B (Key concepts).
6.59 In some circumstances, the basis for an entity’s ‘reasonable belief’ will be clear, for example, if the APP entity discloses personal information in response to a written request by an enforcement body and the request refers to a specific offence, specific case number, and is dated and signed by an authorised person. In other circumstances, the basis for this belief may be less clear, and the entity will need to reflect more carefully about whether its judgment is reasonable.
Reasonably necessary
6.60 The ‘reasonably necessary’ test is an objective test: it is whether a reasonable person in the circumstances would agree that the personal information being used or disclosed is reasonably required for the particular enforcement related activity or activities. The entity has responsibility for being able to explain how the ‘reasonably necessary’ test is met.
6.61 For example, investigators from an enforcement body suspect that a particular building is being used for drug trafficking activities. As part of the enforcement body’s intelligence gathering, the investigators request an APP entity to disclose the personal information of individuals associated with the building (although the investigators do not know the extent, if any, of the involvement of the individuals). This disclosure would be ‘reasonably necessary’ as it forms an important part of the enforcement body’s intelligence gathering about the suspected drug trafficking.
6.62 The use or disclosure does not need to relate to an existing enforcement related activity. The use or disclosure may be reasonably necessary for the initiation of an enforcement related activity. This recognises that a law enforcement body may not be in a position to prevent, detect or investigate offences or breaches of the law, unless and until certain information, including personal information, is brought to its attention.
6.63 An APP entity should ensure that it only uses or discloses the minimum amount of personal information reasonably necessary for a particular enforcement related activity. For example, an APP entity may hold a range of personal information about an individual, such as the person’s contact details, their photograph and information about their political views and religious views. Before disclosing all of this information to the enforcement body, the entity must consider whether only some of this information is reasonably necessary for the enforcement related activity. If so, it should disclose only that information.
Requirement to make a written note of use or disclosure for this secondary purpose
6.64 If an APP entity uses or discloses personal information in accordance with the ‘enforcement related activities’ exception in APP 6.2(e), the entity must make a written note of the use or disclosure (APP 6.5).
6.65 The APP entity should include the following details in that note:
- the date of the use or disclosure
- details of the personal information that was used or disclosed
- the enforcement body conducting the enforcement related activity, and
- if the entity used the information, how the information was used by the entity
- if the entity disclosed the information, who it disclosed the information to (this may be the enforcement body or another entity)
- the basis for the entity’s ‘reasonable belief’. This will help the entity assure itself that this exception applies, and it may be a useful reference if the entity later needs to explain the basis for its belief.
6.66 This requirement does not apply where a law prohibits the entity from making such a record.
Disclosing biometric information to an enforcement body
6.67 An agency may disclose biometric information or biometric templates for a secondary purpose if:
- the agency is not an enforcement body
- the recipient of the information is an enforcement body, and
- the disclosure is conducted in accordance with guidelines made by the Commissioner for the purposes of APP 6.3 (APP 6.3).
This exception does not apply to organisations.
6.68 ‘Biometric information’ and ‘biometric templates’ are types of ‘sensitive information’ (defined in s 6(1)). ‘Enforcement body’ is defined in s 6(1) and is discussed in more detail in Chapter B (Key concepts).
6.69 This exception may apply where the disclosure is for purposes such as identity or nationality verification or general traveller risk assessment, in circumstances where there is a legitimate basis for the disclosure but no criminal enforcement action at that time. For example, a non-enforcement agency could automatically add biometric information and templates to a database operated by an enforcement body (where such disclosures are consistent with the Commissioner’s guidelines).
Requirement to de-identify certain health information before disclosure
6.70 APP 6.4 applies where an organisation collects health information under an exception to APP 3 in s 16B(2). Section 16B(2) permits an organisation to collect health information about an individual if the collection is necessary for research relevant to public health or safety, the compilation or analysis of statistics relevant to public health or public safety, or the management, funding or monitoring of a health service and certain other criteria are satisfied (see Chapter D (Permitted Health Situations).
6.71 In these circumstances, APP 6.4 requires the organisation to take reasonable steps to ensure that the information is de-identified, before it discloses the information in accordance with APPs 6.1 or 6.2.
6.72 Personal information is de?identified ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’ (s 6(1)). De-identification is discussed in more detail in Chapter B (Key concepts).
6.73 The appropriate steps for an organisation will depend upon circumstances that include:
- the adverse consequences for an individual if their health information is not de-identified before it is disclosed, including, any risk of embarrassment, humiliation or loss of dignity
- the practicability of de-identifying the health information. An APP entity should balance the privacy risks of not de-identifying the information against any decision that certain steps to de-identify health information will be impracticable or unduly expensive, and therefore unreasonable.
6.74 In some circumstances, the ‘reasonable steps’ test will not be satisfied simply by removing an individual’s name before publication, as the individual’s identity may be reasonably apparent from other information held about the person, or from the context in which the information is collected.
Related bodies corporate
Use or disclosure of information collected from a related body corporate
6.75 Where an APP entity is a body corporate and it collects personal information from a related body corporate, the APP entity’s primary purpose of collection is taken to be the same as the related body corporate’s primary purpose for originally collecting the information (APP 6.6).
6.76 This means that the body corporate (which has collected personal information from a related body corporate) will need to obtain an individual’s consent before using or disclosing that information for a secondary purpose unless another exception applies.
6.77 For example, an APP entity collects personal information about an applicant contractor for the purpose of assessing their suitability to perform work on its behalf. The parent company then collects that personal information from the entity. The primary purpose of this collection is taken to be the same as the original purpose of collection. If the parent company wishes to disclose the information to a third party for another purpose, it would need to ensure that the contractor consents (or another exception to APP 6 applies).
Disclosure to a related body corporate
6.78 An APP entity may disclose personal information, other than sensitive information, about an individual to a related body corporate (s 13B(1)(b)).
Chapter 7 – Australian Privacy Principle 7 – direct marketing
Key points
- APP 7 provides that an organisation must not use or disclose personal information for the purpose of direct marketing unless an exception applies.
- Direct marketing involves communicating directly with an individual to promote goods and services.
- Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always:
- allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and
- comply with that request.
- An organisation must provide its source for an individual’s personal information, if requested to do so by the individual.
What does APP 7 say?
7.1 An organisation must not use or disclose the personal information that it holds about an individual for the purpose of direct marketing (APP 7.1).
7.2 There are a number of exceptions to this requirement. The exceptions in APP 7.2 and 7.3 apply to personal information other than sensitive information. They draw a distinction between the use or disclosure of personal information by an organisation where:
- the personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing (APP 7.2), and
- the personal information has been collected from a third party, or from the individual directly, but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing (APP 7.3).
7.3 Both of these exceptions require an organisation to provide a simple means by which an individual can request not to receive direct marketing communications (also known as ‘opting out’). However, in the circumstances where the organisation has not obtained personal information from the individual, or the individual would not reasonably expect their personal information to be used in this way, there are additional requirements to ensure that the individual is made aware of their right to opt out of receiving direct marketing communications from the organisation.
7.4 Exceptions to this principle also apply in relation to:
- sensitive information (APP 7.4), and
- an organisation that is a contracted service provider for a Commonwealth contract (APP 7.5).
7.5 APP 7 may apply to an agency in some circumstances.
7.6 An individual may request an organisation not to use or disclose their personal information for the purpose of direct marketing, or to facilitate direct marketing by other organisations (APP 7.6). The organisation must give effect to any such request by an individual within a reasonable period of time and for free (APP 7.7).
7.7 An organisation must, on request, notify an individual of its source of the individual’s personal information that it has used or disclosed for the purpose of direct marketing unless this is unreasonable or impracticable (APP 7.6).
7.8 APP 7 does not apply to the extent that the Do Not Call Register Act 2006, the Spam Act 2003 or any other legislation prescribed by the regulations apply (APP 7.8).
What is direct marketing?
7.9 Direct marketing involves the use and/or disclosure of personal information to communicate directly with an individual to promote goods and services. A direct marketer may communicate with an individual through a variety of channels, including telephone, SMS, mail, email and online advertising.
7.10 Organisations involved in direct marketing often collect information about an individual from a variety of sources, including:
- public records, such as telephone directories and land title registers
- membership lists of business, professional and trade organisations
- online, paper-based or phone surveys and competitions
- online accounts, for example purchase history or browsing habits
- mail order or online purchases.
7.11 Examples of direct marketing by an organisation include:
- sending an individual a catalogue in the mail addressed to them by name
- displaying an advertisement on a social media site that an individual is logged into, using personal information, including data stored on cookies relating to websites the individual has viewed
- sending an email to an individual about a sale, after they signed up for a store loyalty card.
7.12 Marketing is not direct, and therefore APP 7.1 does not apply, if personal information is not used or disclosed, for example, where:
- an organisation sends catalogues by mail addressed ‘To the householder’
- an organisation hand delivers promotional flyers to the mailboxes of local residents
- an organisation displays advertisements on a website where the same content is displayed, irrespective of the viewer.
When are agencies covered by APP 7?
7.13 An agency must comply with the direct marketing requirements of APP 7 in the circumstances set out in s 7A. These include where:
- an agency listed in Part 1 of Schedule 2 to the Freedom of Information Act 1982 (the FOI Act) is prescribed in regulations, or
- the act or practice relates to the commercial activity of an agency specified in Part 2 of Schedule 2 to FOI Act.
Using and disclosing personal information for the purpose of direct marketing where reasonably expected by the individual
7.14 APP 7.2 provides that an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
- the organisation collected the information from the individual
- the individual would reasonably expect the organisation to use or disclose the information for that purpose
- the organisation provides a simple way for the individual to request not to receive direct marketing communications from the organisation (also known as ‘opting out’), and
- the individual has not made such a request to the organisation.
‘Reasonably expects’
7.15 The ‘reasonably expects’ test is an objective one. An organisation should assess the reasonable expectations of an individual from the perspective of a reasonable person with no special knowledge of the industry or activity involved. It is the responsibility of the organisation to show that a reasonable person would reasonably expect their personal information to be used or disclosed for the purpose of direct marketing. The expectations of the actual individual involved should be considered by the organisation, but they are not determinative.
7.16 Factors that may be important in deciding whether an individual has a reasonable expectation that their personal information will be used or disclosed for the purpose of direct marketing include where:
- the individual has consented to the use or disclosure of their personal information for that purpose (see discussion in paragraph 7.24 and Chapter B (Key concepts) for further information about the elements of consent)
- the organisation’s APP Privacy Policy clearly explains that the organisation collects, holds, uses and/or discloses personal information for the purpose of direct marketing (see Chapter 1 for further discussion on APP Privacy Policies)
- the organisation has notified the individual of the purpose of collection and its usual disclosures (including for direct marketing), in accordance with APP 5.1 (see Chapter 5)
- the organisation made the individual aware that they could request not to receive direct marketing communications from the organisation, and the individual does not make such a request (see paragraph 7.23).
7.17 An organisation should not assume that an individual would reasonably expect their personal information to be used or disclosed for the purpose of direct marketing just because the organisation believes that the individual would welcome the direct marketing, for example, because of the individual’s profession, interest or hobby.
7.18 The organisation should assess the reasonable expectations of the individual at the time of the proposed use or disclosure, rather than at the time that the personal information is collected.
7.19 An individual is not likely to have a reasonable expectation that their personal information will be used or disclosed for the purpose of direct marketing where the organisation has notified the individual that their personal information will only be used for a particular purpose unrelated to direct marketing. For example, where an individual provides their phone number to their bank when setting up internet banking, and the bank tells the individual that it will only use the phone number for enabling security for internet banking, the individual is not likely to have a reasonable expectation that their phone number will then be used or disclosed for the purpose of direct marketing.[3]
Providing a simple means for ‘opting out’
7.20 A simple means for opting out should include:
- A clear and easily understood explanation of how to opt out, for example, instructions written in plain English and in a font size that is easy to read.
- A process for opting out, which requires minimal time and effort
- An opt out process that uses the same communication channel that the organisation used to deliver the direct marketing communication, for example, online or by post. An organisation could also provide additional opt out communication channels.
- An opt out process that is free, or that does not involve more than a nominal cost for the individual, for example, the cost of a local phone call, text message or postage stamp.
7.21 The individual should be able to easily find out about how to opt out. For example, an organisation could provide information about how to opt out in each direct marketing communication. An organisation should also consider whether the means for opting out is accessible to a person with a disability.
7.22 If the individual has ‘opted out’, the organisation must not use or disclose their personal information for the purpose of direct marketing, in accordance with the individual’s request (APP 7.2(d)). Further examples of a simple means to opt out are given in paragraphs 7.28 to 7.31 below.
Using and disclosing personal information for the purpose of direct marketing where no reasonable expectation of the individual, or information collected from a third party
7.23 APP 7.3 provides that an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
- the organisation collected the information from:
- the individual, but the individual would not reasonably expect their information to be used or disclosed for that purpose, or
- a third party, and
- the individual has consented to use or disclosure for that purpose, or it is impracticable to obtain that consent, and
- the organisation provides a simple way for the individual to opt out of receiving direct marketing communications from the organisation, and
- in each direct marketing communication with the individual, the organisation includes a prominent statement, or otherwise draws the individual’s attention to the fact that the individual may make such a request (referred to as an ‘opt out statement’), and
- the individual has not made such a request to the organisation.
Consent
7.24 Consent is defined in s 6(1) as ‘express consent or implied consent’ and is discussed generally in Chapter B (Key concepts). The four key elements of consent are:
- the consent must be voluntarily
- the individual must be adequately informed before giving consent
- the consent must be current and specific, and
- the individual must have the capacity to understand and communicate their consent.
Impracticable to obtain consent
7.25 Whether it is ‘impracticable’ for an organisation to obtain consent will depend on a number of factors, including the time and cost involved in seeking consent. However, it would not generally be considered impracticable to obtain consent due to the inconvenience or commercial cost of doing so.
7.26 An organisation may obtain the consent from the individual in relation to a subsequent use or disclosure of the individual’s personal information for the purpose of direct marketing at the time it collects the personal information. In order to rely on this consent, the organisation must be satisfied that it is still current at the time of the use or disclosure.
7.27 Where an organisation did not obtain the individual’s consent at the time of collection, it must obtain the consent of the individual for the proposed use or disclosure, unless it is impracticable to do so. In that case, the organisation should assess whether it is impracticable to obtain consent at the time of the proposed use or disclosure.
Providing a prominent statement about simple means for ‘opting out’
7.28 APP 7.3 requires that an APP entity provides a simple means for an individual to opt out of receiving direct marketing communications (see discussion above at paragraphs 7.20 to 7.22).
7.29 In addition, APP 7.3 requires an APP entity to provide a prominent statement that the individual may request to opt out in each direct marketing communication. This statement should meet the following criteria:
- The statement should be written in plain English, and not use legal or industry jargon.
- It should be positioned prominently, and not hidden amongst other text. Headings may be necessary to draw attention to the statement.
- It should be published in a font size and type which is easy to read, and at least the same font size as the main body of text in the communication.
7.30 The following are given as examples of ways that an organisation may comply with the ‘opt out’ requirements of APP 7.3:
- Clearly indicating in each direct marketing email that the individual can opt out of receiving future emails by replying with a single word instruction in the subject line (for example, ‘unsubscribe’). Alternatively, ensuring that a link is prominently located in the email, which takes the individual to a subscription control centre.
- Clearly indicating that the individual can opt out of direct marketing by replying to a direct marketing text message with a single word instruction (for example, ‘STOP’).
- Telling the recipient of a direct marketing phone call that they can verbally opt out from any future calls.
- Including instructions about how to opt out in each mailed communication.
7.31 In each case, an organisation may use an opt out mechanism that provides the individual with the opportunity to indicate their direct marketing communication preferences, including the extent to which they wish to opt out. However, the organisation should always provide the individual with an option to opt out of all future direct marketing communications as one of these preferences.
Using and disclosing sensitive information for the purpose of direct marketing with the individual’s consent
7.32 APP 7.4 provides that an organisation may use or disclose sensitive information for the purpose of direct marketing if the individual has consented to the use or disclosure for that purpose.
7.33 The requirement to obtain consent applies even if the individual and the organisation have a pre-existing relationship. If consent is not obtained, the entity cannot rely on this exception – even if obtaining consent is impracticable or impossible in the circumstances.
7.34 Consent is discussed in paragraph 7.24, and generally in Chapter B (Key concepts). ‘Sensitive information’ is defined in s 6(1) and discussed in Chapter B (Key concepts).
Using and disclosing personal information for the purpose of direct marketing by contracted service providers
7.35 APP 7.5 provides that an organisation that is a contracted service provider for a Commonwealth contract may use or disclose personal information for the purpose of direct marketing if:
- it collects the information for the purpose of meeting (directly or indirectly) an obligation under the contract, and
- the use or disclosure is necessary to meet (directly or indirectly) such an obligation.
7.36 The terms ‘contracted service provider’ and ‘Commonwealth contract’ are defined in s 6(1).
Requests by an individual to stop direct marketing communications
7.37 If an organisation uses or discloses personal information about an individual for the purpose of direct marketing, the individual may request not to receive direct marketing communications from that organisation (APP 7.6(c)).
7.38 The organisation must not charge the individual for making or giving effect to the request (APP 7.7). It must also stop sending the direct marketing communications within a reasonable period after the request is made (APP 7.7(a)).
7.39 An individual may also ask the organisation to identify the source of the personal information (APP 7.6(e)). The organisation must then notify the individual of its source, unless this is impracticable or unreasonable. Whether it is impracticable or unreasonable to notify the individual of the source of the personal information will depend on a number of factors, including:
- the consequences for the individual if they are not notified of the source
- the length of time that has elapsed since the personal information was collected by the organisation
- the time and cost involved. However it would not generally be considered impracticable or unreasonable to notify the individual of its source simply due to inconvenience or commercial cost of doing so.
7.40 Notification of the source of the personal information must be given within a reasonable period after the request is made (APP 7.7(b)). A ‘reasonable period’ should be 14 days unless special circumstances apply.
Requests by an individual to stop facilitating direct marketing
7.41 An individual may request an organisation not to use or disclose personal information about the individual for the purpose of facilitating direct marketing by a second organisation (APP 7.6(d)).
7.42 The organisation must not charge the individual for making or giving effect to the request (APP 7.7). It must also stop using or disclosing the personal information for the purpose of facilitating direct marketing by a second organisation within a reasonable period after the request is made (APP 7.7(a)).
7.43 An individual may also request the organisation to provide its source of the information (APP 7.6(e)). See paragraphs 7.39 to 7.40 above, for discussion of this requirement.
7.44 Where the second organisation is an APP entity, an individual can also make a request to not receive direct marketing communications from that organisation (APP 7.6(c)).
When does an organisation ‘facilitate’ direct marketing?
7.45 An organisation (the first organisation) facilitates direct marketing where it collects personal information for the purpose of providing that information to another organisation (the second organisation), so that the second organisation can undertake direct marketing of its own products or services. For example, an organisation facilitates direct marketing where it collects personal information and sells that information to the second organisation which uses the information to send out marketing material.
7.46 An organisation does not facilitate direct marketing where it engages a second organisation to carry out, or assist in carrying out, direct marketing on its own behalf. In these circumstances, the second organisation will usually be a contractor, or an agent of the first organisation.
7.47 When the first organisation engages a second organisation to carry out direct marketing on its behalf, it should ensure that the contractual arrangements with the second organisation reflect the first organisation’s obligations under APP 7. Where the second organisation is an APP entity, it must also comply with the APPs when handling personal information.
7.48 In particular, where an individual makes a request to the second organisation to stop the direct marketing under APP 7.6, the contractual arrangements between the two organisations should require the second organisation to pass on the opt out request to the first organisation.
7.49 The following are given as examples of where an organisation ‘carries out’ direct marketing through a contractor, rather than facilitates direct marketing by a second organisation:
- an organisation engages a mailing house to mail out its direct marketing communications
- an organisation engages a second organisation to conduct door-to-door marketing or telemarketing on its behalf.
Interaction with other legislation
7.50 The Spam Act 2003 (Spam Act) and the Do Not Call Register Act 2006 (DNCR Act) contain specific provisions regarding direct marketing. Where the act or practice of an APP entity is subject to the Spam Act, DNCR Act, or other legislation prescribed under the regulations, APP 7 does not apply to the extent that this legislation applies (APP 7.8).
7.51 If an organisation that is an APP entity is exempt or partially exempt from the Spam Act or DNCR Act, APP 7 may still apply to the acts and practices of that organisation to the extent of that exemption.
Australian Privacy Principle 8 – cross-border disclosure of personal information
Key points
- Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (APP 8.1).
- An APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (s 16C).
- There are exceptions to the requirement in APP 8.1 to take reasonable steps and to the accountability provision in s 16C.
What does APP 8 say?
8.1. APP 8 and s 16C create a framework for the cross-border disclosure of personal information. This framework generally requires an APP entity to ensure that an overseas recipient will handle the individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.
8.2. APP 8.1 provides that before an APP entity discloses personal information about an individual to an overseas recipient, the entity must take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. Where an APP entity discloses personal information to an overseas recipient, it is accountable for an act or practice of the overseas recipient that would breach the APPs (s 16C).
8.3. There are exceptions to the requirement in APP 8.1 and to the accountability provision in s 16C (see paragraphs 8.11 – 8.52).
8.4. When an APP entity discloses personal information to an overseas recipient it will also need to comply with APP 6 – that is, it must only disclose the information for the primary purpose for which it was collected unless an exception to that principle applies (see Chapter 6).
What is an overseas recipient?
8.5. Under APP 8.1, an ‘overseas recipient’ is a person who receives personal information from an APP entity and is:
- not in Australia or an external Territory
- not the APP entity disclosing the personal information, and
- not the individual to whom the personal information relates.
8.6. This means that where an APP entity in Australia sends information to an overseas office of the entity, APP 8 will not apply as the recipient is the same entity. This is to be distinguished from the case where an APP entity in Australia sends personal information to a ‘related body corporate’ located outside of Australia. In that case, the related body corporate is a different entity to the APP entity in Australia. It will therefore be an ‘overseas recipient’ and APP 8 will apply.
When does an APP entity ‘disclose’ personal information about an individual to an overseas recipient?
8.7. The term ‘disclose’ is not defined in the Privacy Act and bears its normal dictionary meaning.
8.8. An APP entity will generally disclose personal information when it permits that information to become known outside the entity and releases it from its effective control. The release of the information may be a proactive release or publication, a release in response to a specific request, or an accidental release. In the context of APP 8, an APP entity will disclose personal information to an overseas recipient where it:
- shares the personal information with an overseas recipient
- discusses the personal information at an international conference or meeting overseas
- sends a hard copy document or email containing an individual’s personal information to on overseas client
- publishes the information on the internet, whether intentionally or not, and it is accessed by an overseas recipient.
8.8A ‘Disclosure’ is a separate concept from:
- ‘unauthorised access’ which is addressed in APP 11. An APP entity is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information. Examples include unauthorised access following a cyber-attack or a theft, including where the third party then makes that information available to others outside the entity. However, where a third party gains unauthorised access, the APP entity may breach APP 11 if it did not take reasonable steps to protect the information from unauthorised access (see APP 11, Chapter 11)
- an individual’s right to access their personal information, which is addressed in APP 12 (see Chapter 12)
- ‘use’. An APP entity uses personal information where personal information is handled, or an activity is undertaken with the information, within the entity. An example of a ‘use’ of personal information is where an APP entity routes personal information through servers located outside Australia. In limited circumstances, the provision of personal information to a contractor may also be a ‘use’ of that information (see paras 8.10 to 8.13 below).
8.9. For further information about the concepts of ‘use’ and ‘disclosure’ of personal information, see Chapter B (Key concepts).
Provision of personal information to a contractor
8.10. Where an APP entity engages a contractor located overseas to perform services on its behalf, in most circumstances, the provision of personal information to that contractor is a disclosure. This means that the entity will need to comply with APP 8 before making that disclosure. Where a subcontractor may be engaged, the entity should also take reasonable steps to ensure that the subcontractor does not breach the APPs in relation to the information.
8.11. For example, the provision of personal information to a contractor is generally considered a ‘disclosure’ where:
- an Australian based retailer outsources the processing of online purchases through its website to an overseas contractor and, in order to facilitate this, provides the overseas contractor with personal information about its customers
- an Australian entity, as part of a recruitment drive, provides the personal information of job applicants to an overseas services provider to perform reference checks on behalf of the Australian entity
- an Australian organisation relies on its overseas parent company to provide technical and billing support, and as part of this, provides the overseas parent company with access to its Australian customer database (which includes personal information)
8.12. However, in limited circumstances, providing personal information to an overseas contractor to perform services on behalf of an APP entity may be a ‘use’. In these circumstances, the entity would not need to comply with APP 8. For example, where an APP entity provides personal information to a cloud service provider located overseas for the limited purpose of storing and managing personal information, and:
- the contract between the entity and the overseas cloud service provider binds the provider not to use or disclose the personal information except for the limited purpose of storing and managing the information
- the contract requires any sub-contractors to agree to the same obligations, and
- the contract between the entity and the cloud service provider gives the entity effective control of the information. Issues to consider include whether the entity retains the right or power to access, change or retrieve the information, who else will be able access the information and for what purposes, and what type of security measures will be used for the storage and management of the personal information.
8.13. Where the provision of personal information to an overseas recipient is a use, and the APP entity continues to hold that information, the APP entity still needs to comply with the APPs in relation to the information. An entity holds personal information if it ‘has possession or control of a record that contains the personal information’ (s 6(1)). ‘Holds’ is discussed in more detail in Chapter B (Key concepts).
When will an APP entity have taken reasonable steps?
8.14. The requirement in APP 8.1 to ensure that an overseas recipient does not breach the APPs is qualified by a ‘reasonable steps’ test. The appropriate steps for an entity will depend upon circumstances that include:
- the nature of the personal information. The more sensitive the information the greater the risk of harm to the individual should personal information be mishandled by an overseas recipient
- the entity’s relationship with the overseas recipient. Additional steps may be required if an entity discloses information to an overseas recipient to which the entity has not previously disclosed personal information
- the risk of harm to an individual if the information is mishandled by the overseas recipient.
- existing technical and operational safeguards implemented by the overseas recipient which will protect the privacy of the personal information. For example, additional steps may be required where the recipient has limited safeguards in place
- the practicability of taking particular steps. A ‘reasonable steps’ test recognises that privacy protection must be viewed in the context of the practical options available to an APP entity. On the other hand, an entity is not automatically excused from taking steps before an overseas disclosure by relying on the inconvenience or cost of doing so.
8.15. It is generally expected that an APP entity should enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs (other than APP 1). Contractual arrangements may include:
- The types of personal information to be disclosed and the purpose of disclosure.
- A requirement that the overseas recipient complies with the APPs in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information. This should also require the overseas recipient to enter a similar contractual arrangement with any third parties to whom it discloses the information (for example, a sub-contractor).
- The complaint handling process for privacy complaints.
- A requirement that the recipient implement a data breach response plan which includes a mechanism for notifying the entity where there are reasonable grounds to suspect a data breach and outlines appropriate remedial action (based on the type of personal information to be handled under the contract).
8.16. Where an agency discloses personal information to a recipient that is engaged as a contracted service provider, the agency must also comply with s 95B of the Privacy Act. Section 95B(1) provides that an agency must take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an APP if done by that agency. The contract must contain provisions to ensure that such an act or practice is not authorised by a subcontract (s 95B(3)). Contractual measures taken under s 95B may help an agency to comply with the requirement in APP 8.1. However, additional steps may be required in some circumstances (see paragraph 8.14).
Disclosure of personal information to an overseas recipient that is subject to a similar law or binding scheme
8.17. An APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where the APP entity reasonably believes that:
- the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way the APPs protect the information, and
- mechanisms can be accessed by the individual to enforce that protection of the law or binding scheme (APP 8.2(a)).
‘Reasonable belief’
8.18. The ‘reasonable belief’ test enables an APP entity to assess the applicability of this exception on a case-by-case basis, by considering the information available to it at the time of the disclosure and the context of the particular disclosure.
8.19. The APP entity must have sound evidence to support this belief. For example this might be based on independent legal advice.
‘Law or binding scheme’
8.20. An overseas recipient may be subject to a law or binding scheme, where, for example, it is:
- bound by a privacy or data protection law that applies in the jurisdiction of the recipient
- required to comply with another law that imposes obligations in relation to the handling of personal information – for example some taxation law includes provisions that expressly authorise and prohibit specified uses and disclosures, permit the retention of some data, require destruction after a certain period of time and under particular circumstances, and include a right of access to an individual’s personal information
- subject to an industry scheme or privacy code that is enforceable once entered into, irrespective of whether the recipient was obliged or volunteered to participate or subscribe to the scheme or code.
8.21. However, an overseas recipient may not be subject to a law or binding scheme where, for example:
- the overseas recipient is exempt from complying, or is authorised not to comply, with part, or all of the privacy or data protection law in the jurisdiction
- the recipient can opt out of the binding scheme without notice and without returning or destroying the personal information.
‘Substantially similar to’
8.22. A substantially similar law or binding scheme would provide a comparable, or a higher level of privacy protection to that provided by the APPs. Each provision of the law or scheme is not required to correspond directly to an equivalent APP. Rather, the overall effect of the law or scheme is of central importance.
8.23. Whether there is substantial similarity is a question of fact. Factors that may indicate that the overall effect is substantially similar, include:
- the law or scheme includes a comparable definition of personal information that would apply to the information disclosed to the recipient
- the law or scheme regulates the collection of personal information in a comparable way
- the law or scheme requires the recipient to notify individuals about the collection of their personal information
- the law or scheme requires the recipient to only use or disclose the personal information for authorised purposes
- the law or scheme includes comparable data quality and data security standards
- the law or scheme includes a right to access and seek correction of personal information.
Mechanisms to enforce privacy protections
8.24. A range of dispute resolution or complaint handling models may satisfy the requirement for an accessible enforcement mechanism. It is not essential that the mechanism provide recourse to a regulatory body, similar to the Office of the Australian Information Commissioner (OAIC). Instead, these mechanisms may be expressly included in a law or scheme or may take effect through the operation of cross-border enforcement arrangements between the OAIC and an appropriate regulatory authority in the foreign jurisdiction.
8.25. Any enforcement mechanisms must be easily accessible to the individual, for example, via the internet.
Disclosure of personal information to an overseas recipient with the individual’s consent after being expressly informed
8.26. An APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where:
- the APP entity expressly informs the individual that if they consent to the disclosure, this principle will not apply, and
- the individual then consents to the disclosure (APP 8.2(b)).
‘Expressly inform’
8.27. An APP entity should provide the individual with a clear written or oral statement explaining the potential consequences of providing consent. At a minimum, this statement should explain that if the individual consents to the disclosure and the overseas recipient handles the information in breach of the APPs:
- the entity will not be accountable under the Privacy Act
- the individual will not be able to seek redress under the Privacy Act.
8.28. The statement should also:
- if applicable, explain that the individual may not be able to seek redress in the overseas jurisdiction
- be made at the time consent is sought
- not rely on assumed prior knowledge of the individual
- explain any other practical effects or risks associated with the disclosure that it is aware of, or would be reasonably expected to be aware of. These may include that:
- the recipient may not be subject to any privacy obligations or to any principles similar to the APPs
- the recipient is subject to a foreign law that could compel the disclosure of personal information to a third party, such as an overseas authority.
Consent
8.29. Consent is defined in s 6(1) as ‘express consent or implied consent’, and is discussed in more detail in Chapter B (Key concepts). The four key elements of consent are:
- the consent must be voluntary
- the individual must be adequately informed before giving consent (in this case ‘expressly informed’)
- the consent must be current and specific, and
- the individual must have the capacity to understand and communicate their consent.
8.30. An APP entity does not need to obtain consent before every proposed cross-border disclosure. It may obtain an individual’s consent to disclose a particular kind of personal information to the same overseas recipient for the same purpose on multiple occasions, providing it has expressly informed the individual of the potential consequences of providing that consent. In doing this the entity should not seek a broader consent than is necessary for its purposes, for example, consent for undefined future uses, or consent to all legitimate uses or disclosures.
8.31. If an individual withdraws their consent, the entity must no longer rely on the original consent when dealing with the individual’s personal information.
Disclosure of personal information to an overseas recipient as required or authorised by law
8.32. An APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where the disclosure is ‘required or authorised by or under an Australian law or a court/tribunal order’ (APP 8.2(c)). An APP entity cannot rely on a requirement or authorisation in an overseas jurisdiction (see paragraph 8.60). The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts).
8.33. The following are examples of where a law or order may require or authorise disclosure of personal information to an overseas recipient:
- An APP entity disclosing personal information to the government of a foreign country under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
- An agency disclosing personal information to an overseas recipient under the Australian Federal Police Act 1979 or the Mutual Assistance in Criminal Matters Act 1987 (Cth).
8.34. An agency that intends to rely on this exception should consider establishing administrative arrangements, memorandums of understanding or protocols with the overseas recipient that set out mutually agreed standards for the handling of personal information. These should provide privacy protections comparable to the APPs (see discussion of contractual measures in paragraph 8.15).
Disclosure of personal information to an overseas recipient where a permitted general situation exists
8.35. The cross-border principle will not apply if a permitted general situation exists for that disclosure (APP 8.2(d)). Section 16A lists five permitted general situations that may exist for a cross border disclosures. These situations are set out below, and are discussed in more detail in Chapter C (Permitted general situations) (including the meaning of relevant terms).
Lessening or preventing a serious threat to life, health or safety
8.36. An APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where:
- the entity reasonably believes the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and
- it is unreasonable or impracticable to obtain consent (s 16A(1), Item 1).
8.37. For example, this exception might apply where an APP entity discloses the personal information of an individual to a foreign authority, based on a reasonable belief that this disclosure will lessen a serious threat to the health or safety of that individual’s children, but seeking the individual’s consent may increase the threat.
Taking appropriate action in relation to suspected unlawful activity or serious misconduct
8.38. An APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where the entity:
- has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and
- reasonably believes that the cross-border disclosure is necessary for the entity to take appropriate action in relation to the matter (s 16A(1), Item 2).
8.39. For example, this exception may apply where an APP entity that is a global organisation has reason to suspect that an individual is engaging in transnational fraud affecting the entity’s activities, and the entity reasonably believes that disclosing personal information to an overseas authority is necessary to take appropriate action.
Locating a missing person
8.40. An APP entity may disclose personal information to an overseas recipient without complying with APP 8.1 where:
- the entity reasonably believes that the disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing, and
- the disclosure complies with rules made by the Information Commissioner under s 16A(2) of the Privacy Act (s 16A(1), Item 3).
Necessary for a diplomatic or consular function or activity
8.41. An agency may disclose personal information to an overseas recipient without complying with APP 8.1 where the agency reasonably believes that the disclosure is necessary for the agency’s diplomatic or consular functions or activities (s 16A(1), Item 6).
8.42. For example, this exception may apply where an agency discloses personal information to an overseas recipient to assist an Australian citizen who is in distress overseas, such as where an Australian individual is detained or is the victim of crime, or where assistance is required with repatriation in the case of death or serious illness.
Necessary for certain Defence force activities outside Australia
8.43. The Defence Force (as defined in s 6(1)) may disclose personal information to an overseas recipient without complying with APP 8.1 where it reasonably believes that the disclosure is necessary for a warlike operation, peacekeeping, civil aid, humanitarian assistance, a medical emergency, a civil emergency or disaster relief occurring outside Australia and the external Territories (s 16A(1, Item 7).
8.44. For example, this exception might apply where, in the immediate aftermath of a natural or man-made disaster outside Australia, the Defence Force discloses an individual’s personal information to an overseas recipient in order to assist in the provision of proper medical care to that individual.
Disclosure of personal information to an overseas recipient as required or authorised under an international agreement relating to information sharing
8.45. An agency may disclose personal information to an overseas recipient without complying with APP 8.1 where the disclosure is ‘required or authorised by or under an international agreement relating to information sharing to which Australia is a party’ (APP 8.2(e)).
8.46. Information sharing need not be the primary subject matter of the agreement, so long as the agreement makes provision for information sharing.
8.47. An agency must be able to identify a specific provision in the agreement that requires, or grants a discretion to, the agency to disclose the type of information. The meaning of ‘required’ and ‘authorised’ is discussed in more detail in Chapter B (Key concepts).
8.48. The exception is intended to include all forms of agreements relating to information sharing (for example, treaties and exchanges of letters) to which Australia is a party.
Disclosure of personal information to an overseas recipient for an enforcement related activity
8.49. An agency may disclose personal information to an overseas recipient without complying with APP 8.1 where both of the following apply:
- the agency reasonably believes that the disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, and
- the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body (APP 8.2(f)).
8.50. This exception is intended to enable an agency that is an enforcement body to cooperate with international counterparts for enforcement related activities.
8.51. ‘Enforcement body’ is defined in s 6(1) as a list of specific bodies. The list includes Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions. Examples of Commonwealth enforcement bodies are the Australian Federal Police, Australian Crime Commission, Customs, the Integrity Commissioner, Australian Prudential Regulation Authority and Australian Securities and Investments Commission.
8.52. ‘Enforcement related activities’ is defined in s 6(1) and discussed in Chapter B (Key concepts). For further discussion of a similar exception in APP 6.2(e), see Chapter 6.
When is an APP entity accountable for personal information that it discloses to an overseas recipient?
8.53. An APP entity that discloses personal information to an overseas recipient is accountable, in certain circumstances, for an act or practice of the overseas recipient in relation to the information that would breach the APPs (s 16C(1)). Accountable means that the act or practice is taken to have been done by the APP entity and to be a breach of the APPs by that entity (s 16C(2)).
8.54. This accountability provision only applies where:
- APP 8.1 applies to the disclosure – that is, none of the exceptions in APP 8.2 apply to the disclosure
- the APPs do not apply to an act or practice of the overseas recipient in relation to the information – for example, where an exemption to the Privacy Act applies to the recipient (Part II) or where the recipient is not an agency and does not have an Australian link (the term Australia link is discussed in more detail in Chapter B (Key Concepts)), and
- the overseas recipient’s act or practice would breach the APPs (other than APP 1) if it had applied to the conduct (s 16C(1)).
8.55. Under the accountability provision, an APP entity may be liable for the acts or practices of the overseas recipient (and the individual will have a means of redress) even where:
- the entity has taken reasonable steps to ensure the overseas recipient complies with the APPs (see APP 8.1) and the overseas recipient subsequently does an act or practice that would breach the APPs
- the overseas recipient discloses the individual’s personal information to a subcontractor and the subcontractor breaches the APPs
- the overseas recipient inadvertently breaches the APPs in relation to the information.
Overseas acts or practices required by a foreign law
8.56. Section 6A(4) provides that an act or practice required by an applicable law of a foreign country will not breach the APPs if it is done, or engaged in, outside Australia and the external Territories. The meaning of ‘required’ by a law is discussed in Chapter B (Key concepts).
8.57. The effect of this provision is that where an overseas recipient of personal information does an act or practice that is required by an applicable foreign law, this will not breach the APPs. The APP entity will also not be responsible for the act or practice under the accountability provision.
8.58. For example, the Patriot Act (USA) may require the overseas recipient to disclose personal information to the Government of the United States of America. In these circumstances, the APP entity would not be responsible under the accountability provision for the disclosure required by that Act.
8.59. An APP entity should consider notifying an individual, if applicable, that the overseas recipient may be required to disclose their personal information under a foreign law. The entity could also explain that the disclosure will not breach the APPs. This information could be included in the APP entity’s APP 5 notice (for a more detailed discussion of the requirements for notice at the time of collection, see Chapter 5).
8.60. This provision does not apply to acts or practices that are done or engaged in, within Australia. Where a foreign law requires an APP entity in Australia to disclose personal information to an overseas recipient the entity must comply with APPs 6 and 8.
Australian Privacy Principle 9 – Adoption, use or disclosure of government related identifiers
What does APP 9 say?
9.1 An organisation must not adopt, use or disclose a government related identifier unless an exception applies. APP 9 may apply to an agency in some circumstances.
9.2 The objective of APP 9 is to restrict general use of government related identifiers by organisations so that they do not become universal identifiers. If widely adopted, used or disclosed, identifiers could enable an entity to match and link personal information about an individual collected from different sources, in ways that the individual may not agree with or expect.
9.3 An individual cannot consent to the adoption, use or disclosure of their government related identifier.
What is a ‘government related identifier’?
Identifiers
9.4 An ‘identifier’ of an individual is defined in s 6(1) as a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.
9.5 The following are explicitly excluded from the definition of identifier:
- an individual’s name
- an individual’s Australian Business Number (ABN)
- anything else prescribed by the regulations made under the Privacy Act. This provides flexibility to exclude any specified types of identifiers from the definition, as required.
9.6 An identifier is personal information. An APP entity must therefore handle identifiers in accordance with the APPs. ‘Personal information’ is discussed in more detail in Chapter B (Key concepts).
Government related identifiers
9.7 A ‘government related identifier’ of an individual is defined in s 6(1) as an identifier that has been assigned by:
- an agency
- a State or Territory authority
- an agent of an agency, or a State or Territory authority, acting in its capacity as agent, or
- a contracted service provider for a Commonwealth contract, or a State contract, acting in its capacity as contracted service provider for that contract.
9.8 The following are given as examples of government related identifiers:
- Medicare numbers
- Centrelink Reference numbers
- driver licence numbers
- passport numbers
9.9 Some government related identifiers are governed by their own legal frameworks, which restrict the way that entities can collect, use or disclose the particular identifier and related personal information. Examples include tax file numbers and individual healthcare identifiers.
When are agencies covered by APP 9?
9.10 An agency must comply with the adoption, use and disclosure requirements of APP 9 when dealing with government related identifiers in the circumstances set out in s 7A of the Privacy Act.
9.11 These circumstances include where:
- an agency that is listed in Part I of Schedule 2 to the Freedom of Information Act 1982 is prescribed in regulations, or
- the act or practice relates to the commercial activity of an agency that is specified in Part II of Schedule 2 to the Freedom of Information Act 1982.
Adoption of government related identifiers
9.12 An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless an exception applies (APP 9.1).
What does adoption mean?
9.13 An organisation adopts a government related identifier if it collects a particular government related identifier of an individual and organises the personal information that it holds about that individual with reference to the same identifier.
9.14 The following are examples of when an organisation will be considered to have adopted a government related identifier of an individual:
- A health service provider uses an individual’s Medicare number as the basis for the provider’s own identification system.
- An accountant uses an individual’s tax file number as the basis of the accountant’s own identification system.
9.15 Adoption is to be distinguished from collecting, using or disclosing a government related identifier. APP 9 does not specifically address the collection of government related identifiers. However, an organisation must comply with APP 3 (collection of solicited personal information) and APP 4 (dealing with unsolicited personal information) when dealing with government related identifiers. These APPs are discussed in Chapter 3 and 4 respectively.
9.16 APP 3 provides that an organisation must only collect personal information that is reasonably necessary for one or more of the organisation’s functions or activities. If an organisation collects an identifier that it cannot lawfully use or disclose under APP 9.2 (see para 9.23 onwards), then the collection is not reasonably necessary for one of the organisation’s functions or activities. This means that the collection would not be permitted under APP 3.2.
9.17 Paragraphs 9.23 to 9.46 explain the circumstances in which an organisation is permitted to use or disclose government related identifiers.
Adoption of a government related identifier as required or authorised by or under an Australian law or a court/tribunal order
9.18 An organisation may adopt a government related identifier of an individual as its own identifier of the individual if the adoption is required or authorised by or under an Australian law or a court/tribunal order (APP 9.1(a)). The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts).
9.19 The Australian law or court/tribunal order should specify a particular government related identifier, the organisations or classes of organisations permitted to adopt it, and the particular circumstances in which they may do so.
9.20 For example, healthcare providers are authorised by law to adopt the individual healthcare identifiers of their patients as their own identifier. That is, they may organise the personal information of their patients by reference to the patients’ individual healthcare identifiers.
Adoption of a government related identifier as prescribed by regulations
9.21 An organisation may adopt a government related identifier of an individual as its own identifier of the individual if:
- the identifier is prescribed by regulations
- the organisation, or a class of organisations that includes the organisation, is prescribed by regulations, and
- the adoption occurs in the circumstances prescribed by the regulations (APP 9.1(b)).
9.22 Regulations may be made under the Privacy Act to prescribe these matters.
Use and disclosure of government related identifiers
9.23 An organisation must not use or disclose a government related identifier of an individual, unless an exception applies (APP 9.2). The terms ‘use’ and ‘disclosure’ are discussed in Chapter B (Key concepts).
9.24 An organisation must handle any personal information that it uses or discloses at the same time as a government related identifier in accordance with APP 6. However, APP 6 does not apply to the disclosure of government related identifiers (APP 6.7(b)). The circumstances in which an organisation may use or disclose government related identifiers under APP 9.2 are narrower in scope than the circumstances in which an organisation may use or disclose other personal information under APP 6. See Chapter 6 for further details about the use and disclosure of personal information.
Use or disclosure of a government related identifier where reasonably necessary to verify the identity of the individual
9.25 An organisation may use or disclose the government related identifier of an individual if the use or disclosure is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions (APP 9.2(a)).
9.26 This exception allows an organisation to use a government related identifier to both establish the identity of an individual and to verify that an individual is who or what they claim to be.
9.27 Government related identifiers are usually contained in high-integrity documents, and are therefore likely to be highly reliable for verifying an individual’s identity.
9.28 The use and disclosure of the government related identifier to verify the identity of the individual must be reasonably necessary for the purposes of the organisation’s functions or activities. Whether the use or disclosure is ‘reasonably necessary’ is an objective test. This is discussed in more detail in Chapter B (Key concepts). The functions and activities of the organisation are limited to those in which it may lawfully engage. See Chapter 3 for a discussion of identifying the functions and activities of an organisation.
9.29 There are a number of factors that an organisation should consider to decide whether the use or disclosure is reasonably necessary to verify the identity of an individual. For example, it may not be reasonably necessary where:
- The organisation can carry out the function or activity without verifying the individual’s identity. For example, an organisation may only need to sight the government related identifier, and potentially note the fact that it was sighted, in order to carry out its function or activity. Where an organisation interacts with an individual on a one-off basis, for example, when an individual purchases alcohol, it is likely that the organisation would only need to sight a driver’s licence or passport containing the identifier.
- There are other practicable means of verifying the individual’s identity available to the organisation. For example, an organisation may be able to verify an individual’s identity by collecting, using or disclosing other types of personal information, rather than the government related identifier (noting that the collection, use and disclosure of other personal information must comply with the relevant APPs).
9.30 An organisation should also consider its obligation under APP 2 to give individuals the option of not identifying themselves, or of using a pseudonym, when dealing with the organisation in relation to a particular matter. The requirement in APP 2 will not apply if the organisation is required or authorised by or under an Australian law or a court/tribunal order to deal with individuals who have identified themselves, or it is impracticable for the organisation to deal with individuals who have not identified themselves or have used a pseudonym. See Chapter 2 for more information on APP 2.
Use or disclosure of a government related identifier where reasonably necessary to fulfil obligations to an agency or a State or Territory authority
9.31 An organisation may use or disclose a government related identifier of an individual if the use or disclosure is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority (APP 9.2(b)).
9.32 This exception is most likely to be relevant to a contracted service provider, and will allow them to use or disclose a government related identifier if this is reasonably necessary to perform a Commonwealth or State or Territory contract. Whether the use or disclosure is ‘reasonably necessary’ is an objective test. This is discussed in more detail in Chapter B (Key concepts).
Use or disclosure of a government related identifier as required or authorised by or under an Australian law or a court/tribunal order
9.33 An organisation may use or disclose a government related identifier of an individual if the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order (APP 9.2(c)).
9.34 The meaning of ‘required or authorised by or under an Australian law or a court/tribunal order’ is discussed in Chapter B (Key concepts).
9.35 The Australian law or court/tribunal order should specify a particular government related identifier, the organisations or classes of organisations permitted to use or disclose it, and the particular circumstances in which they may do so.
9.36 For example, the Healthcare Identifiers Act 2010 permits the use or disclosure of healthcare identifiers for limited purposes by healthcare providers and other entities specified in that Act.
Use or disclosure of a government related identifier where a permitted general situation exists
9.37 An organisation may use or disclose a government related identifier of an individual if a ‘permitted general situation’ (other than the situations referred to in items 3, 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier (APP 9.2(d)).
9.38 Section 16A lists two permitted general situations that apply to the use or disclosure of government related identifiers. The two situations are set out below, and are discussed in Chapter C (Permitted general situations) (including the meaning of relevant terms).
Lessening or preventing a serious threat to life, health or safety
9.39 An organisation may use or disclose a government related identifier of an individual if:
- the organisation reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and
- it is unreasonable or impracticable to obtain consent (s 16A(1), item 1).
Taking appropriate action in relation to suspected unlawful activity or serious misconduct
9.40 An organisation may use or disclose a government related identifier of an individual if:
- the organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the organisation’s functions or activities has been, is being or may be engaged in, and
- the organisation reasonably believes that the use or disclosure is necessary in order for the organisation to take appropriate action in relation to the matter (s 16A(1), item 2).
9.41 For example, this exception might apply where the organisation uses or discloses a government related identifier, such as a customer’s Centrelink number, as part of an investigation into suspected fraud within an organisation.
Use or disclosure of a government related identifier to an enforcement body for enforcement related activities
9.42 An organisation may use or disclose a government related identifier of an individual if the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (APP 9.2(e)).
9.43 An organisation that collects or holds a government related identifier will be able to rely on this exception to cooperate with relevant enforcement bodies in certain circumstances.
9.44 ‘Enforcement body’ is defined in s 6(1) as a list of specific bodies. The list includes Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions. Examples of Commonwealth enforcement bodies are the Australian Federal Police, Australian Crime Commission, Customs, the Integrity Commissioner, Australian Prudential Regulation Authority and Australian Securities and Investments Commission.
9.45 ‘Enforcement related activities’ is defined in s 6(1) and discussed in Chapter B (Key concepts). ‘Reasonably believes’, ‘reasonably necessary’ and ‘enforcement body’ are also discussed in Chapter B (Key concepts). For further discussion of a similar exception in APP 6.2(e), see Chapter 6.
9.46 For example, this exception might apply where the Australian Federal Police are investigating fraud committed by an individual against the organisation. The organisation may reasonably believe that disclosure of a copy of a drivers licence to the AFP is reasonably necessary for the AFP’s investigation, where the AFP needed to obtain information provided by that individual to the organisation.
Use or disclosure of a government related identifier as prescribed by regulations
9.47 An organisation may use or disclose a government related identifier of an individual if:
- the identifier is prescribed by regulations
- the organisation, or a class of organisations that includes the organisation, is prescribed by regulations, and
- the adoption occurs in the circumstances prescribed by the regulations (APP 9.2(f)).
9.48 Regulations may be made under the Privacy Act to prescribe these matters.
Australian Privacy Principle 10 – quality of personal information
Key points
· An APP entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete.
· An APP entity must take reasonable steps to ensure that the personal information it uses and discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
What does APP 10 say?
10.1 An APP entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete (APP 10.1).
10.2 An APP entity must also take reasonable steps to ensure that the personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant (APP 10.2).
10.3 Handling poor quality personal information can have significant privacy impacts for individuals. The requirements in APP 10 ensure that an APP entity only handles high quality personal information, which builds community trust and confidence in an entity’s information handling practices.
What are reasonable steps?
10.4 In the context of APP 10‘reasonable steps’ involves balancing quality considerations (discussed in paragraphs 10.6) with other considerations, which could include:
· the size and nature of the APP entity and whether its information handling practices may impact on a large number of individuals
· the nature of the personal information handled. The more sensitive the information the greater the risk of harm to the individual should poor quality personal information be used or disclosed
· the adverse consequences for an individual if poor quality personal information is collected, use or disclosed. For example, additional steps will be required where an entity makes a decision based on the information which may have consequences for the individual
· the method or time of collection. Additional steps may be required where personal information is collected from a third party or has been collected some time ago
· the practicability of taking particular steps to ensure quality. A ‘reasonable steps’ test recognises that privacy protection must be viewed in the context of the practical options available to an APP entity. On the other hand, an entity is not automatically excused from taking steps to improve data quality by relying on the inconvenience or commercial cost of doing so.
10.5 In some circumstancesit will be reasonable for an APP entity to take no steps to ensure data quality. This is implicit in the use of the phrase ‘if any’ in the principle. For example, where an entity collects personal information from a source known to be reliable (such as the individual concerned) it may be reasonable to take no steps to ensure data quality. This may also be reasonable where using or disclosing poor quality information will not have any adverse consequences for the individual.
When should an entity take reasonable steps?
10.6 APP 10 requires that an APP entity ‘must take such steps (if any) as are reasonable in the circumstances’ to ensure the quality of personal information at two distinct points in the information handling cycle.
10.7 The first of these is when the entity collects the personal information. At this point it must ensure that the personal information is accurate, up-to-date and complete.
10.8 The second is when using or disclosing personal information. At this time the entity must ensure that, having regard to the purpose of using or disclosing the personal information, it is not only accurate, up-to-date and complete, but that it is also relevant.
Examples of reasonable steps
10.9 The following are given as examples of reasonable steps that an APP entity could consider:
· implementing internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information (including training staff in these practices, procedures and systems)
· implementing protocols that ensure personal information is collected and recorded in a consistent format
· ensuring updated or new personal information is promptly added to relevant existing records
· providing individuals with a simple means to review and update their information on an on-going basis, for example through an online portal
· reminding individuals to update their personal information each time the APP entity engages with the individual
· contacting the individual to verify the quality of personal information when it is used or disclosed, particularly if there has been a lengthy period since collection. (However, this step may not be reasonable where the APP entity has already taken other steps to ensure data quality, such as those outlined in this list)
· checking that a third party, from whom personal information is collected, has implemented appropriate data quality practices, procedures and systems. Depending on the circumstances, this could include:
o making enforceable contractual arrangements to ensure that the third party implements appropriate data quality measures in relation to the personal information the entity collects from the third party
o undertaking due diligence in relation to the third party’s data quality practices prior to the collection.
· if information is to be used or disclosed for a new purpose that is not the primary purpose of collection, assessing the quality of the data having regard to that new purpose before the use or disclosure.
What are the quality considerations?
10.10 An APP entity should plan and implement reasonable steps, based on a clear understanding of the terms ‘accurate’, ‘up-to-date’, ‘complete’, ‘relevant’ and ‘purpose’.
10.11 These terms are not defined in the Privacy Act so it is appropriate to refer to the ordinary meaning of these words. Regard may also be had to their meanings as expressed by courts from time to time and in other consumer law contexts. Guidance on the meaning of these words is outlined below, along with examples of how each term may apply. These examples show some overlap between each term.
Accurate
10.12 Accurate means ‘free from error or defect’ or ‘exactly conforming to truth, to a standard or rule, or to a model’.Examples of inaccurate personal information include factually incorrect or misleading information.
10.13 The following examples illustrate reasonable steps that may be taken to ensure that personal information is accurate:
· An APP entity collects personal information from a third party and makes an adverse decision based on that information with serious consequences for the individual. Generally, there is a greater risk that information collected from a third party is inaccurate, compared to information collected from the individual. Reasonable steps could involve providing the individual with an opportunity to comment on and explain the information before making the decision.
· A bank holds a record of an individual’s previous residential address. When the individual defaults on a loan repayment, the bank uses the previous residential address for the purpose of contacting the individual to seek payment of the debt. Reasonable steps to ensure the accuracy of address information may involve putting processes in place to prompt individuals each time they engage with the bank to provide any change of address details to the bank.
10.14 The definition of personal information includes ‘information or an opinion’ (s 6(1)). Particular steps should be taken by an entity to ensure the accuracy of an opinion. Generally, an opinion is accurate where it takes into account competing facts and views and makes an informed assessment, providing it is clear this is an opinion and not an objective fact. An individual may disagree with an opinion but that does not mean the personal information held by the entity is inaccurate.
10.15 However, there are some circumstances where an opinion may be inaccurate. For example if the holder of the opinion was shown to be biased or unqualified to form the opinion, or acted improperly or if a similar reason applies.
10.16 Reasonable steps to ensure an opinion is accurate could include:
· ensuring the opinion is from a reliable source
· providing the opinion to the individual before it is used or disclosed
· clearly indicating on the record that this is an opinion and identifying who has formed that opinion.
Up-to-date
10.17 Up-to-date means ‘extending to the present time; including the latest facts’. It covers situations where an existing record is misleading because subsequently available information has not been added to the record.
10.18 This does not mean that any personal information relating to a past event is out-of-date. The extent to which personal information is up-to-date will depend on the functions or activities for which the information is collected and the purpose for which it is used or disclosed.
10.19 To help an entity determine whether personal information from a particular point in time is up-to-date for a particular purpose, records should clearly show the point in time to which the personal information relates.
Complete
10.20 Complete means ‘having all its parts or elements; whole; entire; full’. Complete information gives a true picture of the facts. Incomplete information may give a misleading impression to others and lead to incorrect decisions.
10.21 The following examples illustrate the reasonable steps that may be taken to ensure that personal information is complete:
· An APP entity publishes a tenancies database for the purpose of providing its members with information about defaults on tenant agreements including failure to pay rent or damage to property. Entries for a number of tenants show that they owe a debt. In these circumstances, the entity needs to take reasonable steps to ensure that the database includes any information that the tenant has since repaid the debt. More onerous steps may be required given the potentially significant consequences of an incomplete listing for an individual in these circumstances, such as difficulty in obtaining access to housing
· an agency uses information on an individual’s case file to assess eligibility for a benefit. The information is incomplete – stating that an individual has two rather than three children. The individual previously advised an officer of the agency that they had a new baby, but this information was not incorporated into the case file. Reasonable steps could include implementing practices and procedures to ensure that new personal information is promptly added to relevant existing records.
Relevant
10.22 An APP entity is required to take reasonable steps to ensure that personal information is relevant when it uses or discloses that information.
10.23 ‘Relevant’ means ‘bearing upon or connected with the matter in hand; to the purpose; pertinent’.
10.24 Relevance is assessed by reference to the purpose of the use or disclosure. This means that an entity must take reasonable steps to ensure it only uses or discloses so much of the personal information it holds about an individual as is relevant to the purpose of a particular use or disclosure.For example, an organisation holds personal information about a client (including the client’s name, address, job description, financial position, physical disabilities and marital status), that was collected for the purpose of providing the client with financial advice. The organisation is later instructed to buy shares on the client’s behalf. The organisation must take reasonable steps to ensure that when doing so, it only uses and discloses parts of the information relevant to purchasing the shares, such as the client’s name.
Purpose
10.25 For uses and disclosures of personal information, an APP entity must ensure the quality of the information is appropriate for the purpose of the use or disclosure. In this context, purpose means the reason for the use or disclosure. ‘Purpose’ is discussed in more detail in Chapter B (Key concepts).
Interaction with other APPs
10.26 The requirements in APP 10 to take reasonable steps to ensure the quality of personal information are complemented by other requirements in APP 3 (collection of solicited personal information), APP 11 (security of personal information), APP 12 (access to personal information) and APP 13 (correction of personal information).
APP 3 (collection of solicited personal information)
10.27 While APP 10.1 does not specifically require an entity to take reasonable steps to ensure that the personal information it collects is relevant to the purpose of collection, this requirement is implied in APP 3. Under APP 3, an APP entity can only collect personal information that is reasonably necessary (or, for agencies, directly related to) the entity’s functions or activities.For sensitive information, an entity will also need the individual’s consent, unless an exception applies (see Chapter 3).
10.28 APP 3.6 generally requires an APP entity to collect personal information about an individual only from that individual unless it is unreasonable or impracticable to do so, or if the entity is an agency, another exception applies (see APP 3.6, discussed in Chapter 3). Where APP 10 requires an APP entity to take reasonable steps to ensure the quality of personal information it uses or discloses, the entity may need to collect personal information from a third party if it is unreasonable or impracticable to collect it from the individual.
APP 11 (security of personal information)
10.29 Under APP 11 an APP entity must take reasonable steps to destroy or de-identify personal information that it no longer needs, unless it is contained in a Commonwealth record or the entity is required by or under an Australian law, or a court/tribunal order, to retain it (see Chapter 11). Where an entity amends information or adds new information to a record to comply with APP 10, it should consider whether it needs to destroy or de-identify other information it holds under APP 11.
APP 12 (access to personal information) and APP 13 (correction of personal information)
10.30 APP 12 requires an APP entity, on request, to give the individual access to personal information held about them, unless an exception applies (see Chapter 12).
10.31 APP 13 requires an APP entity to take reasonable steps to correct information where either:
· the entity is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, or
· the individual requests correction (see Chapter 13).
10.32 Providing access to personal information under APP 12 enables individuals to review personal information held about them. This allows an individual to identify whether any information is inaccurate, out-of-date, incomplete or irrelevant, and seek its correction under APP 13.
10.33 By facilitating an individual’s access and correction under APPs 12 and 13, an APP entity can better ensure that information is accurate, up-to-date, complete and relevant when it is used or disclosed.
10.34 In addition to responding to requests for access and correction under APPs 12 and 13, an APP entity should proactively provide individuals with a simple means to review and update their personal information on an on-going basis (see example 4, paragraph 10.10).
Australian Privacy Principle 11 — security of personal information
Key points
· An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
· Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that the information is de-identified. This requirement applies except where:
o the information is part of a Commonwealth record, or
o the APP entity is required by law or a court/tribunal order to retain the information.
What does APP 11 say?
11.1 APP 11 requires an entity to take active measures to ensure the security of personal information it holds, and to actively consider whether it is able to retain personal information.
11.2 An APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure (APP 11.1).
11.3 An APP entity must destroy or de-identify the personal information it holds once the information is no longer needed for any purpose for which the information may be used or disclosed under the APPs. This requirement does not apply where the information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the information (APP 11.2).
When does an APP entity ‘hold’ personal information?
11.4 APP 11 only applies to personal information that an APP entity holds. An entity holds personal information ‘if the entity has possession or control of a record that contains the personal information’ (s 6(1)). The term ‘holds’ is discussed in more detail in Chapter B (Key concepts).
What are reasonable steps?
11.5 In the context of APP 11.1,‘reasonable steps’ involve balancing security considerations (discussed in paragraphs 11.8 – 11.17) with other considerations, which could include:
· The nature of the APP entity. This includes the entity’s business model or governance arrangements. For example, it may be reasonable for an APP entity:
o with a large number of staff and resources to take additional steps compared to a smaller entity to ensure the security of the personal information the entity holds
o that operates through franchises or dealerships, or that provides contractors with access to information it holds, to take different or further steps than a more centralised entity.
· The nature, quantity and extent of personal information held, and whether this requires the APP entity to take additional steps. For example, the more sensitive the information, the greater the risk of harm to the individual if the information is subject to misuse, interference or loss, or unauthorised access, modification or disclosure. It may therefore be reasonable for an APP entity to take additional steps to protect sensitive information it holds.
· The adverse consequences for an individual if their personal information is not secured. For example, an individual may suffer reputational harm if their personal information becomes public, or material harm if exposure of their information enables identity theft or fraud. Generally, more rigorous steps may be required as the risk of adverse consequences increases.
· The APP entity’s data handling practices, such as how it collects, uses and stores personal information. This includes whether data handling practices are outsourced to third parties, and whether those third parties are subject to the Privacy Act.If a third party is not subject to the Privacy Act, it may be reasonable for the entity to take steps to ensure the third party meets the entity’s obligations under the Privacy Act, for example through specific privacy obligations in contracts and mechanisms to ensure these are being fulfilled.
· The practicability of implementing a particular measure. A ‘reasonable steps’ test recognises that privacy protection must be viewed in the context of the practical options available to an APP entity. On the other hand, an entity is not automatically excused from adopting appropriate information management practices, procedures and systems by relying on the inconvenience or commercial cost of doing so.
· Whether a security measure is in itself privacy invasive. For example, while an APP entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12).
11.6 Reasonable steps could including taking steps and implementing strategies to manage the following:
· governance
· ICT security
· data breaches
· physical security
· personnel security and training
· workplace policies
· the information life cycle
· standards
· regular monitoring and review.
11.7 For further discussion of the relevant considerations, and examples of steps that may be reasonable for an APP entity to take, see the Office of the Australian Information Commissioner’s Guide to information security: ‘reasonable steps’ to protect personal information (OAIC Information Security Guide).
What are the security considerations?
11.8 An APP entity should plan and implement reasonable steps, based on a clear understanding of the terms ‘misuse’, ‘interference’, ‘loss’, ‘unauthorised access’, ‘modification’ or ‘disclosure’.
11.9 The terms ‘misuse’, ‘interference’, ‘loss’, ‘unauthorised access’, ‘modification’ and ‘disclosure’ are not defined in the Privacy Act so it is appropriate to refer to the ordinary meaning of these words. An APP entity should also consider the meaning of these terms as clarified by courts from time to time, and in other consumer law contexts. Guidance on the meaning of these words is outlined below. These examples show some overlap between each term.
Misuse
11.10 ‘Misuse’ means ‘wrong or improper use’ or ‘misapplication’. An example of a ‘misuse’ of personal information is where an APP entity uses information it holds for a purpose other than a permitted purpose. APP 6 sets out when an APP entity is permitted to use personal information (see Chapter 6).
11.11 ‘Use’ is discussed in more detail in Chapter B (Key concepts).
Interference
11.12 ‘Interference’ of personal information occurs where there is an attack on personal information that an APP entity holds that interferes with the information but does not necessarily modify its content. ‘Interference’ includes an attack on a computer system that, for example, leads to exposure of personal information.
Loss
11.13 ‘Loss’ means ‘the accidental or inadvertent losing of something dropped, misplaced, or of unknown whereabouts’ or the ‘failure to preserve or maintain’. It covers an APP entity’s ‘loss’ of personal information that it holds, other than by intentional destruction or de-identification. This includes when an APP entity:
· physically loses information, such as by leaving it in a public place, or
· electronically loses information, such as failing to keep adequate backups of personal information in the event of a systems failure.
11.14 Loss of personal information could also potentially occur following unauthorised access or modification of the information.
Unauthorised access
11.15 ‘Unauthorised access’ of personal information occurs when personal information that an APP entity holds is accessed by someone that is not permitted to do so.
Unauthorised modification
11.16 ‘Unauthorised modification’ of personal information occurs when personal information that an APP entity holds is altered by someone that is not permitted to do so.
Unauthorised disclosure
11.17 ‘Unauthorised disclosure’ occurs when an APP entity releases personal information from its effective control in a way that is not permitted under the APPs. The term ‘disclosure’ is discussed in more detail in Chapter B (Key concepts).
Destroying or de-identifying personal information
11.18 An APP entity must take reasonable steps to destroy or de-identify personal information it holds if it no longer needs the information for any purpose for which it may be used or disclosed under the APPs (APP 11.2). The requirement to take reasonable steps to destroy or de-identify does not apply if personal information is contained in a Commonwealth record, or if an Australian law or a court/tribunal order requires it to be retained (APP 11.2). In practice, this means that different rules apply to agencies and organisations.
Personal information held by an agency
11.19 The term ‘Commonwealth record’ in s 6(1) of the Privacy Act has the same meaning as in s 3 of the Archives Act 1983. The core meaning is ‘a record that is the property of the Commonwealth’ or a Commonwealth agency. This is likely to include, in almost all cases, all personal information held by agencies.
11.20 If the personal information is contained in a Commonwealth record, the agency is not required to destroy or de-identify the information under APP 11.2, even if it no longer needs the information for any purpose for which it may be used or disclosed under the APPs. However, an agency still needs to consider its obligations under the Archives Act.
11.21 A Commonwealth record can, as a general rule, only be destroyed or altered in accordance with s 24 of the Archives Act. The grounds on which this may be done include ‘normal administrative practice’ and destruction or alteration in accordance with an arrangement approved by the Archives (often titled a Records Disposal Authority). See Chapter B (Key concepts) for more information about Commonwealth records.
Personal information held by an organisation
11.22 An organisation should have practices, procedures and systems in place to identify personal information that needs to be destroyed or de-identified (see APP 1.2, discussed in Chapter 1).
11.23 Where an organisation ‘holds’ (see paragraph 11.4 and Chapter B (Key concepts) for a discussion of ‘holds’) personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes reasonable steps to destroy or de-identify the personal information. This obligation applies even where the organisation does not physically possess the personal information, such as where it is held in electronic form on a third party’s hardware.
11.24 Where an organisation holds personal information that needs to be destroyed or de-identified, it must take reasonable steps to destroy all copies it holds of that personal information, including copies that have been archived or are held as back-ups.
Required by or under an Australian law or a court/tribunal order
11.25 If an organisation is required by or under an Australian law or a court/tribunal order to retain personal information, it is not required to take reasonable steps to destroy or de-identify it (APP 11.2(d)).
11.26 ‘Australian law’ is defined in s 6(1). The term ‘required by or under an Australian law’ is discussed in Chapter B (Key Concepts).
Reasonable steps to destroy personal information – irretrievable destruction
11.27 Personal information is destroyed where it can no longer be retrieved. The steps that are reasonable for an organisation to take to destroy personal information will depend on whether the personal information is held in hard copy or electronic form.
11.28 For example, for information held:
· in hard copy, disposal through garbage or recycling collection would not ordinarily constitute taking reasonable steps to destroy the information, unless the information had already been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding
· in electronic form, reasonable steps will vary depending on the kind of hardware used to store the information. In some cases it may be possible to ‘sanitise’ the hardware to completely remove stored information. For hardware that cannot be sanitised, reasonable steps must be taken to destroy the personal information in another way, such as by irretrievably destroying it. Where it is not possible to irretrievably destroy personal information held in electronic format, an organisation should instead comply with APP 11.2 by taking reasonable steps to de-identify the personal information (see para 11.31 below), or by putting it beyond use (see para 11.29 below).
· on a third party’s hardware, such as cloud storage, where the organisation has instructed the third party to delete the personal information, reasonable steps would include taking steps to verify that deletion has occurred (by either destruction or de-identification, as appropriate).
Reasonable steps to destroy personal information held in electronic format –putting beyond use
11.29 Where it is not possible for an organisation to irretrievably destroy personal information held in electronic format, reasonable steps to destroy it would include putting the information ‘beyond use’. Information is ‘beyond use’ if the organisation:
· is not able, and will not attempt, to use or disclose the personal information
· cannot give any other entity access to the personal data
· surrounds the personal information with appropriate technical and organisational security. This should include, at a minimum, access controls together with log and audit trails, and
· commits to take reasonable steps to irretrievably destroy the information if, or when, this becomes possible.
11.30 It is expected that only in very limited circumstances would it not be possible for an organisation to destroy personal information held in electronic format. For example, only where technical reasons may make it impossible to delete the personal information without also deleting other information held with that information, which the entity is required to retain.
De-identifying personal information
11.31 Personal information is de?identified once the information is no longer about an identifiable individual or an individual who is reasonably identifiable (s 6(1)). De-identification is discussed in more detail in Chapter B (Key concepts).
11.32 An organisation that intends to comply with APP 11.2 by taking reasonable steps to de-identify personal information should consider whether de-identification is appropriate in the circumstances. For guidance on de-identifying personal information see the OAIC’s De-identification Fact Sheet. Regardless of the de-identification technique chosen, an organisation undertaking de-identification must take reasonable steps to minimise the likelihood that the information could be re-identified.
11.33 De-identification of personal information may be more appropriate than destruction where the de-identified information could provide further value or utility to the organisation or a third party. For example, where:
· an agency makes de-identified information available for public access and reuse, or
· an organisation shares de-identified information with researchers.
11.34 On the other hand, where it is unclear whether the risk of re-identification can be appropriately minimised, the organisation should instead consider the reasonable steps available to destroy the information.