Privacy Case Note 02/2014 (Section 33)

Case note number: 02/2014

Privacy principles: Section 33 – Transfer of personal information outside of Australia

The complaint

A public authority (the Agency) maintained a publicly-accessible register both in hard copy form and an online version. The Agency maintained the online register as a more administratively simple means for third parties to obtain the listed individuals’ information.

The Complainant requested that the Agency remove their entry in the online version (only) as they wished to limit their online presence. The Agency refused.

The mediation process

Alleged Breach of Section 33

The Complainant asserted that they had not authorised their personal information to be posted online and the agency was consequently in breach of section 33 of the IP Act.

Section 33 of the IP Act states that an agency may transfer an individual’s personal information to an entity outside of Australia only if one (or more) of four exemptions applies.1  For web-based content the two most relevant exemptions are the individual has explicitly agreed to the posting or if the inclusion of an individual’s personal information on the web-site is authorised or required under a law.

While initially trying to rely on ‘implied agreement’, the Agency discontinued this argument as it was not disputed that the Complainant did not agree to their personal information being included on the online register. Also there is no capacity for ‘implied agreement in section 33. The Agency did not assert there was a law authorising or requiring the online register.

The parties were also in agreement that the hardcopy register qualified as a ‘generally available publication’ to which the privacy principles did not apply by reason of Schedule 1, Part 7(a) of the IP Act.

Exception from the privacy principles

The first disputed issue to be considered was whether personal information extracted from a ‘generally available publication’ similarly attracted the exception in Schedule 1, Part 7(a).

OIC’s view was that it did not because Schedule 1, Part 7(a) applies to a ‘document’ as opposed to personal information contained in the document. OIC’s held that had the Agency digitised the hardcopy register as a whole and made it available online the exception would have applied. However, because the Agency was extracting information from the ‘generally available publication’ and then posting those extracts online it was creating a new document with the online register.

Section 33 and Information Privacy Principle 11

The Agency also argued that because the Complainant’s personal information was able to be found out through the hardcopy register, the accessing of the same information online was not a ’disclosure’ as defined by section 23(2) of the IP Act.

However, section 33 is defined in terms of the ‘transfer’ of personal information rather than disclosure of the information. As such, the definition of ‘disclosure’ in section 23(2) of the IP Act is not applicable to section 33.

Applicability of section 33

A technical issue was at what point does a breach of section 33 occur? Practicably, if the personal information is sitting in an Australian-located server, the act of ‘transfer’ occurs only when someone overseas accesses the personal information. Until that action occurs, there is no transfer and accordingly, no breach of section 33.

The complaint didn’t hinge on this distinction as the mediation discussions between the Agency and the Complainant occurred on the basis that the mere existence of the online register created the potential for the personal information in it to be transferred overseas.

What the Applicant sought for the process

To settle the matter, the Complainant requested that their personal information be removed from the online database.

Agency response

The Agency initially refused to remove the personal information from the online database, insisting that this was not technically possible.

The complainant advised that they had made a similar but informal request to other Agencies and they had removed the Complainant’s name from these other databases.

Outcome of the complaint

At the culmination of the discussions concerning the above issues, the Agency agreed to remove the Complainant’s personal information from the online database and the Complainant indicated their approval of this outcome.

[1] The exemptions also include for public health and safety reasons and generally, when the destination country has equivalent privacy protections to the privacy principles in the IP Act.