PAW blog series 2019: Navigating IPP 2 – Sharing personal information under the PDP Act
Have you ever found yourself hesitating just before sending a work email about an individual to another organisation, concerned that you might be breaching that individual’s privacy? Are you confused about if, and when, you need to seek an individual’s consent to use or disclose their personal information?
You’re not alone. From time to time we’ve all wished we had a magical privacy eight-ball that had all the answers at our fingertips.
The good news is that you can now reach for OVIC’s new pocket guide to use and disclosure of personal information under Information Privacy Principle 2 (IPP 2) of the Privacy and Data Protection Act 2014 (Titled: Can I use and disclose personal information?).
This handy guide contains a summary of IPP 2, its primary purpose rule and all the exceptions. It also contains some key tips to help guide you through the most important considerations to turn your mind to when using and disclosing personal information.
Most of the time, use and disclosure will be straightforward – you should only use or disclose personal information for the same purpose for which you collected it (we call this the “primary purpose”). But what about those uses and disclosures that fall outside the primary purpose? For those circumstances, it will usually be the case that if it does not fit into any of the exceptions under IPP 2, you should not proceed with the proposed use or disclosure.
Understandably, people don’t like it when they find out that their information has been used in a way they didn’t expect. Being as transparent as possible ensures that you don’t lose their trust. You can do this by clearly communicating your organisation’s information handling practices through notices and policies.
Sometimes it will be best to seek the individual’s consent to use or disclose their personal information for a secondary purpose, but this won’t always be necessary or appropriate. Personal information can, for example, be shared for law enforcement purposes or when authorised by a different law.
OVIC’s pocket guide is designed to be a quick reference tool to keep the key points of appropriate use and disclosure fresh in your mind. For those situations when you’re looking for more in-depth guidance then you should look to other legislation that applies to your organisation. You can also turn to OVIC’s Guidelines to the Information Privacy Principles and Guidelines for sharing personal information.
So next time you find your cursor hovering over the ‘Send’ button, unsure how to proceed, remember to reach for OVIC’s Pocket Guide!
And remember, if you get stuck, you can always contact your organisation’s Privacy Officer or OVIC’s Privacy Guidance Team. We’re here to help.