Under Information Privacy Principle (IPP) 10, an agency2 must not use personal information for a purpose other than that for which it was obtained. However, alternative use is permitted in circumstances where:
- the secondary purpose is directly related to the primary purpose
- the individual has expressly or impliedly agreed to the use for the secondary purpose
- the use is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare
- the use is authorised or required under law
- the use is necessary for law enforcement purposes; or
- the use is necessary for research or statistical purposes.
Keep in mind when using personal information that:
- before an agency can use personal information, it must take reasonable steps to ensure that the information is accurate, complete and up to date (IPP 8)
- when an agency proposes to use a document containing personal information for a particular purpose, the agency must only use those parts of the personal information which are directly relevant to fulfilling that particular purpose (IPP 9).
Under IPP 11, an agency must not disclose personal information to a third party, unless:
- the individual is reasonably likely to be aware that it is the agency's usual practice to disclose that type of personal information to the third party
- the individual has expressly or impliedly agreed to the disclosure
- the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare
- the disclosure is authorised or required under law
- the disclosure is necessary for law enforcement purposes (see below);
- The Australian Security Intelligence Organisation (ASIO) has asked the agency to disclose the information; or
- the disclosure is necessary for research or statistical purposes (see below)
However, where a disclosure occurs under one of the exceptions above, the agency must take all reasonable steps to ensure that the third party does not use or disclose the information for a purpose other than the purpose for which the information was disclosed by the agency.
Law enforcement purposes include:
- prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions
- the enforcement of laws relating to the confiscation of crime proceeds
- protection of the public revenue
- the prevention, detection, investigation or remedying of seriously improper conduct; and
- the preparation for, or conduct of, court/tribunal proceedings, or implementation of court/tribunal orders.
Where a use or disclosure is made under the law enforcement exception, a note must also be included in the document the subject of the use or disclosure.
Request by ASIO
In order to fall within this exception:
- ASIO must ask for the agency to disclose the personal information
- an officer or employee of ASIO, authorised by the director-general of ASIO, must certify that the personal information is required in connection with ASIO's functions; and
- the agency must only disclose the personal information to an officer or employee of ASIO who is authorised in writing by the director-general of ASIO to receive the personal information.
In order to fall within this exception, all of the following must apply:
- the use/disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest
- the use/disclosure does not involve the publication of any identifying details of the individual; and
- it is not practicable to obtain the express or implied agreement of each individual before use/disclosure.
In addition, where the information is disclosed to a third party under IPP 11, the agency must be satisfied that the third party will not further disclose the personal information to another entity.
- 1 Please refer to Key privacy concepts - use for further guidance on what constitutes use.
- 2 In this Guideline references to an 'agency' also include Ministers and bound contracted service providers, unless otherwise specified.
- 3 Please refer to Key privacy concepts - disclosure for further guidance on what constitutes disclosure.
Current as at: June 5, 2017