Basic guide to IPPs 8-11 - Use and disclosure

Use¹

Under Information Privacy Principle (IPP) 10, an agency² must not use personal information for a purpose other than that for which it was obtained. However, alternative use is permitted in circumstances where:

• the secondary purpose is directly related to the primary purpose
• the individual has expressly or impliedly agreed to the use for the secondary purpose
• the use is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare
• the use is authorised or required under law
• the use is necessary for law enforcement purposes; or
• the use is necessary for research or statistical purposes.

Keep in mind when using personal information that:

• before an agency can use personal information, it must take reasonable steps to ensure that the information is accurate, complete and up to date (IPP 8)
• when an agency proposes to use a document containing personal information for a particular purpose, the agency must only use those parts of the personal information which are directly relevant to fulfilling that particular purpose (IPP 9).

Disclosure³

Under IPP 11, an agency must not disclose personal information to a third party, unless:

• the individual is reasonably likely to be aware that it is the agency's usual practice to disclose that type of personal information to the third party
• the individual has expressly or impliedly agreed to the disclosure
• the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare
• the disclosure is authorised or required under law
• the disclosure is necessary for law enforcement purposes (see below);
• The Australian Security Intelligence Organisation (ASIO) has asked the agency to disclose the information; or
• the disclosure is necessary for research or statistical purposes (see below)

However, where a disclosure occurs under one of the exceptions above, the agency must take all reasonable steps to ensure that the third party does not use or disclose the information for a purpose other than the purpose for which the information was disclosed by the agency.

Law enforcement

Law enforcement purposes include:

• prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions
• the enforcement of laws relating to the confiscation of crime proceeds
• protection of the public revenue
• the prevention, detection, investigation or remedying of seriously improper conduct; and
• the preparation for, or conduct of, court/tribunal proceedings, or implementation of court/tribunal orders.

Where a use or disclosure is made under the law enforcement exception, a note must also be included in the document the subject of the use or disclosure.

Request by ASIO

In order to fall within this exception:

• ASIO must ask for the agency to disclose the personal information
• an officer or employee of ASIO, authorised by the director-general of ASIO,  must certify that the personal information is required in connection with ASIO's functions; and
• the agency must only disclose the personal information to an officer or employee of ASIO who is authorised in writing by the director-general of ASIO to receive the personal information.

Research/statistics

In order to fall within this exception, all of the following must apply:

• the use/disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest
• the use/disclosure does not involve the publication of any identifying details of the individual; and
• it is not practicable to obtain the express or implied agreement of each individual before use/disclosure.

In addition, where the information is disclosed to a third party under IPP 11, the agency must be satisfied that the third party will not further disclose the personal information to another entity.