IPP 2: Use and disclosure
Document version: IPP 2, 2019.A (consultation draft), 28 February 2019.
The basic rule of IPP 2.1 is relatively straightforward: use and disclose personal information only for the purpose for which it was collected (the ‘primary purpose’).
However, IPP 2 allows the use and disclosure of personal information on certain circumstances for other purposes (‘secondary purposes’).
IPP 2 contains eight other instances where use or disclosure may be permitted for a secondary purpose. These are contained in IPPs 2.1 (a) – (h). Seven of these envisage use or disclosure without consent.
What is a ‘use’ or ‘disclosure?’
The terms ‘use’ and ‘disclosure’ are not defined in the PDP Act.
The Macquarie Australian Dictionary defines ‘use’ as ‘employ for some purpose’. Examples of uses of personal information by an organisation include:
- a staff member of the organisation accessing and reading the personal information;
- the organisation making a decision based on the personal information;
- the organisation passing the personal information from one part of the organisation to another; or
- unauthorised access to the personal information by an employee of the entity.
The term ‘disclose’ takes its ordinary dictionary meaning, ‘opening something up to view or revealing it’. An organisation ‘discloses’ information where it releases the information out of its effective control and into the control of another organisation or person. The release may be a proactive release or publication, a release in response to a specific request, or an accidental or unauthorised release.
Accidental or unauthorised disclosures may also point to a breach of IPP 4 – Data Security.
Verbal disclosure of recorded information
As noted in the Key Concepts chapter, the PDP Act does not apply to personal information unless it is recorded.
However, IPP 2 will apply to all disclosures of recorded personal information no matter how the disclosure occurs.
For that reason, the PDP Act will apply to verbal disclosures of personal information that also exists in a recorded form.
Disclosure by allowing others to view information
Personal information can be disclosed even though it remains in the possession or control of its original collector.
For example, if a person from outside an organisation is permitted to read information held by an organisation on a computer screen, then the organisation has disclosed the information to the person.
Intra-organisation uses and disclosures
Many organisations in the Victorian public sector are closely related or may fall under the same portfolio department.
Departmental portfolios are commonly comprised of distinct business units, statutory agencies and independent statutory offices. For example, a Department may have various business units, panels, commissions, boards and other entities carrying out many functions in diverse areas.
These individual entities may be separate ‘organisations’ under s 13 of the PDP Act. They will have different functions, which will impact on the types of personal information collected. These separate entities may also have other legal authorisations to collect personal information, for example, under their enabling legislation, and obligations of confidentiality that impact the entity’s authority to collect or disclose the information.
A disclosure by one body or entity will constitute a collection by the recipient body. Organisations, and entities within a departmental portfolio, should ensure they comply with both IPPs 1 and 2 when they share personal information (while keeping in mind their obligations under other relevant IPPs).
IPP 2.1: Primary purpose
IPP 2.1 permits use and disclosure for the primary purpose for which the personal information was collected. This is the ‘primary purpose’. The purpose for which information is collected can be inferred from or implicit in the circumstances of collection.1IPP 2.1 is therefore linked to collection notices (issued under IPP 1.3), as organisations should have already explained the primary purpose of collection to the individual. This means organisations need to consider and define the specific function to activity for which they are collecting the information.
In Ng v Department of Education  VCAT 1054 at -, VCAT defined ‘purpose’ narrowly meaning the primary purpose is even narrower still. In contrast, number of recent VCAT cases listed below have shown that the primary purpose may be defined widely.For further discussion of the meaning of ‘purpose’, see the Key Concepts chapter.
Identifying the primary purpose
The following examples may help organisations to define and describe the primary purpose of collection.
- In Harrison v Victorian Building Authority (Human Rights)  VCAT 108 , the primary purpose was the administration of complaints.
- In Zeqaj v Victoria Police (Human Rights)  VCAT 1733 , the use of personal information to assess a firearms license was within the primary purpose of collection by Victoria Police which was to preserve the peace, protect life and property, prevent the commission of offences and detect and apprehend offenders.
- In Complainant H v Local Council  VPrivCmr 2 the former Privacy Commissioner found that Council’s public disclosure of petitioners’ names and addresses in its minutes was consistent with the primary purpose of collection which was for the Council to facilitate the democratic process in government decision-making.
- In Complainant AF v Local Council  VPrivCmr 1, the use of a letter as evidence in a prosecution was found by VCAT to be within the primary purpose of investigation potential breaches of the Food Act.
- In Zeqaj v Victoria Police (Human Rights)  VCAT 2105 , , the Tribunal found the primary purpose of the video recording was ‘to protect Victoria Police from future claims by the complainants as to the condition of the house and property and the manner of the search, to document the location and removal of items in the linen cupboard cavity and to provide a contemporaneous record of discussions with Mr Visho Zeqaj at the conclusion of the search.’
As is apparent from this list, the primary purpose for collection will vary in breadth and generality according to the circumstances of collection, use or disclosure. OVIC suggests that organisations should define the primary purpose of collection of personal information narrowly.
Compulsorily acquired information
Where an organisation compulsorily acquires personal information, the purposes for which it can use and disclose that information will be more limited than if the information was obtained voluntarily. This is for two reasons. First, the scope of the power used to compulsorily acquire the information will limit the scope of the primary purpose of collection. Second, the fact that the information was compulsorily acquired may impose an obligation of confidence upon the organisation, in accordance with the principle discussed in Johns v Australian Securities Commission (1993) 178 CLR 408 (Johns). In Johns, Justice Brennan of the High Court of Australia said:
W)hen a power to require disclosure of information is conferred for a particular purpose, the extent of dissemination or use of the information disclosed must itself be limited by the purpose for which the power was conferred. In other words, the purpose for which a power to require disclosure of information is conferred limits the purpose for which the information disclosed can lawfully be disseminated or used…
A statute which confers a power to obtain information for a purpose defines, expressly or impliedly, the purpose for which the information when obtained can be used or disclosed. The statute imposes on the person who obtains information in exercise of the power a duty not to disclose the information obtained except for that purpose. If it were otherwise, the definition of the particular purpose would impose no limit on the use or disclosure of the information. The person obtaining information in exercise of such a statutory power must therefore treat the information obtained as confidential whether or not the information is otherwise of a confidential nature. Where and so far as a duty of non-disclosure or non-use is imposed by the statute, the duty is closely analogous to a duty imposed by equity on a person who receives information of a confidential nature in circumstances importing a duty of confidence…
It is therefore important to ascertain the purposes for which such information can be legitimately used or disclosed.2
This case concerned the disclosure of transcripts of evidence by the former Australian Securities Commission (ASC) to the Royal Commission into the collapse of the Tricontinental group of companies. The transcripts of Johns’ evidence (the managing director of the companies at the time) had been acquired through the compulsory examination powers of the ASC and were subject to confidentiality obligations and strict limitations around use and disclosure. The ASC permitted the Royal Commission to use the material in public hearings, which were then reported by the media. Johns successfully argued that he had been denied natural justice by the ASC in not being provided an opportunity to be heard before they allowed the confidential material to be publicly disseminated, so as to prejudice his rights or interests. Public disclosure could prejudice Johns’ personal reputation and encroach on his right to maintain silence about the matters being investigated by the ASC. The High Court of Australia held that the ASC’s decision to disclose the transcripts to the Royal Commission for use in public hearings was therefore invalid.
Where an organisation has compelled the provision of information, it should be cautious about disclosing that information for any other purpose.
There are many situations where individuals are compelled to provide their information in order to obtain a benefit, exercise a right, or comply with a legal obligation. Examples include
- obtaining a driver’s licence or registering a motor vehicle;
- registering a pet cat or dog;
- planning to renovate or build a house, or objecting to a planning proposal;
- applying for public housing;
- practising as a professional (e.g., as a teacher, lawyer or doctor);
- seeking a licence to operate a child care centre;
- working in certain child-related areas;
- voting at state and local government elections; or
- complying with notices to produce documents or give evidence.
Organisations should carefully examine any laws underpinning the compulsory collection of information to ensure that any subsequent use or disclosure of that information is permitted.
IPP 2.1(a): Reasonably expected related secondary purposes
Under IPP 2.1(a), an organisation can use and disclose personal information for a related secondary purpose, if an individual the information is about would reasonably expect the organisation to do so.
Determining whether a proposed use or disclosure is authorised under IPP 2.1(a)
The secondary purposes for use and disclosure must be related (or, in the case of sensitive information, directly related) to the primary purpose of collection and consistent with what an individual would reasonably expect.
This is a two-part test:
- Is the secondary purpose related (or directly related) to the primary purpose?
- Would an individual whose information was collected reasonably expect the use or disclosure?
Related secondary purposes
The secondary purpose for which the information is used or disclosed has to be connected to or associated with the primary purpose. It must relate to the primary purpose for which it was collected. If sensitive information is involved, the secondary purpose has to be directly related to the primary purpose. VCAT has said the link between the primary and secondary purposes must be ‘clear, undeniable and inextricable’.3
The Explanatory Memorandum to the PDP Act suggests that a reasonably expected secondary use would be where information collected in delivering a government service is subsequently used to manage, evaluate or improve that particular service. So, quality assurance, program evaluation and development are likely to be regarded as reasonably expected secondary purposes. The Explanatory Memorandum says:
[Organisations] are entitled to use or disclose personal information for a secondary purpose where it is related to the primary purpose of collection and the use or disclosure is within the reasonable expectations of the individual. This would be the case, for example, where the information was used to manage, evaluate or improve particular government services in relation to which the information was originally collected. Secondary uses or disclosures are otherwise permitted in cases where there is a strong public interest in doing so.
In Ng v Department of Education  VCAT 1054 (6 June 2005), the Department installed a CCTV camera in the computer room of a school to minimise the risk of vandalism and to monitor student use of the computers. The CCTV footage was subsequently used during an investigation into the teacher’s work performance in the classroom. In that case, VCAT found that the purpose of installing the CCTV camera was not the broad purpose of taking visual recordings of any ‘relevant incident’ that may need to be investigated, but the specific purpose of collecting information about student misbehaviour and inappropriate conduct. However, use of the CCTV footage to assess the teacher’s performance in managing inappropriate student behaviour was a secondary purpose ‘clearly related to monitoring the inappropriate behaviour itself.4
Examples of related secondary purposes, found to be within the reasonable expectations of the person involved include:
- the use of personal information by local councils for fire and flood protection. Local councils may collect information from ratepayers in relation to owners’ properties. The primary purpose of collection may be to make decisions about amenities, value, uses and upkeep of those properties. However, disclosure of this information to a relevant authority for the secondary purpose of safety against bushfire, flood or extreme weather would be a related and reasonably expected secondary purpose.
- the secondary use by police of firearm licence holders’ fingerprints in the investigation of crime.5
- the disclosure of a tertiary student’s contact details to a debt collector after the student incurred a debt for a course. This was related to the primary purpose of collection, that is, the enrolment of fee-paying students.6
In some cases, use or disclosure would not be related, despite what may seem at first glance to be an apparent link between the primary purpose and the disclosure. For example, in Duggan v Moira Shire Council (Unreported, VCAT, Preuss SM, 11 October 2004) , VCAT found that the primary purpose of collecting the identity of a person who found a dog, was not related to the secondary purpose of informing the grateful owner of the finder’s details so that the owner could thank the finder:
I am unable to accept the submission that the secondary purpose was related to the primary purpose. The primary purpose of collection was to enable the Council to make contact with the (finder) to collect the dog, and if there were any difficulties in so doing, to get further particulars of the dog’s whereabouts. I am not satisfied that the disclosure of the (finder’s) name to (the owner) was related to this purpose.
For a use or disclosure to be ‘reasonably expected’, it is necessary to ask what an ordinary person in the position of the person who the information is about would consider reasonable. This is an objective test It is the reasonable expectation of an ordinary person, who is not necessarily expert in the workings of government, that is to be considered in the particular circumstances.
The expectations of the actual individual involved are a consideration, but they are not determinative.
Case Study 2A: Referral of ministerial correspondence reasonably expected7
A Minister disclosed personal information about a complainant to the organisation which was the subject of the complaint.
The Commissioner considered the disclosure to be part of the primary purpose insofar as a Minister would typically refer matters to those with the requisite responsibility or capacity to assist on a matter. The Commissioner said that even if such a disclosure was not for the primary purpose, it was for a secondary purpose related to the primary purpose.
The Commissioner reasoned that an ordinary person, although not expert in government administration, would reasonably expect that the Minister and his or her personal staff do not themselves deal with the detail of complaints and enquiries from the public. Rather, a person would reasonably expect that the Minister and his or her staff would refer the complaint (and the complainant’s details) to those who can and should deal with them.
A secondary use or disclosure might be reasonably expected where that use or disclosure is ‘inextricably linked’ to the primary purpose of collection. In Ng v Department of Education  VCAT 1054 VCAT found that:
(T)he inextricable link between inappropriate behaviour by students and the quality of teachers’ management of that behaviour is so close as to render it reasonably foreseeable by a reasonable teacher that footage taken for the one purpose should be used for the other.8
Factors affecting reasonableness of expectation
Whether an ordinary person would reasonably expect the use or disclosure will depend upon the circumstances of each case. A number of factors can influence this assessment, including:
- the manner in which the information was given to the organisation;
- the notice provided to the individual upon collection;
- the sensitivity of the personal information;
- the nature of the organisation;
- the actions of the individual in question; or
- the individual’s expressed expectations.
The manner in which the information was given to the organisation
The context in which an organisation collects the personal information from an individual affects the reasonableness of expectations of use and disclosure.
Case Study 2B: Disclosure of petitioners’ details reasonably expected9
A member of the public organised a petition and sent it to his local council. The Council invited him to attend the meeting in which it was tabled for discussion. The Council later posted the petition on its website as part of the minutes of the meeting. The petitioner was concerned that his personal details (name and address) were available on the petition and thus on the website.
In the Commissioner’s view, the primary purpose for which the Council collected the personal information contained in the petition was to facilitate the democratic process in government decision-making.
The Council had discussed the petition at an ordinary meeting that was open to members of the public. Moreover, councils, like all government bodies, have a duty to be accountable and, where possible, transparent to the public. Accordingly, the minuting of the petition and its discussion, along with any arising decisions by Council were all related secondary purposes for which it was collected.
The assessment of whether a related secondary purpose is reasonably expected is an objective one: would an ordinary person, although not expert in government administration, reasonably expect that any personal information they put on a petition, circulated through the community and tabled at a public meeting, would ultimately be disclosed?
The Commissioner considered that a person would reasonably expect such a disclosure.
The notice provided to the individual upon collection
Collection notices that outline the secondary purposes for which the information is to be used or disclosed (under IPP 1.3)10can assist in creating an expectation that information is to be used for related secondary purposes. However, further communication with an individual may be required to establish that the secondary use is ‘reasonably’ expected. For example, a secondary use or disclosure that breaches an undertaking of confidentiality cannot be said to be ‘reasonably’ expected. Collection notices cannot be used to override other existing legal obligations.
‘Reasonableness’11 requires that the related secondary use or disclosure is also proper and fair, and generally not incompatible with the primary purpose of collection. Organisations that give notice of their intention to use or disclose information in a way that is different to what a person might reasonably expect, may find that individuals will not want to transact with the organisation. Similarly, individuals may not want to provide complete and accurate information to organisations.
The sensitivity of the personal information
Later disclosures of information may be influenced by the manner in which the information was received by the organisation or whether the information is sensitive or delicate information.
For example, in Complainant H v Local Council  VPrivCmr 2 (26 February 2004) (see Case study 2B above) in addition to finding the disclosure in council minutes of petitioners’ details was in accordance with the primary purpose of collection, the former Privacy Commissioner found that the circumstances in which the information was gathered and presented to Council also created a reasonable expectation that it would be publicly disclosed. The Privacy Commissioner cautioned, however that there may be cases where disclosure would not be appropriate where that disclosure would reveal sensitive or delicate information:
An ordinary person, although not expert in government administration, would reasonably expect that to put their name to a petition that is to be circulated throughout the community to gather more signatures, with a view to having the petition tabled at a public meeting, would result in the disclosure of any personal information they elect to put on the petition.
Only in the rarest of circumstances, such as a petition by persons who all have a particular illness petitioning for better health services, will disclosure not be appropriate. In the example given of illness, to disclose would reveal more about a person than just their name and address. In such cases it might be appropriate to keep private the actual names and addresses while disclosing the subject matter of the petition itself.
The nature of the organisation
The type of organisation using and disclosing the personal information will have a bearing upon how reasonable it is to expect the particular use or disclosure. In Case Study 2B above, the organisation publishing the petition online was a local council, an organisation that facilitates public discussion of various matters important to the community. For example, the reasonableness of the disclosure in Case Study 2B can be contrasted with the publication of a petition by a private organisation that does not have such a role in the democratic process.
The extent to which personal information might reasonably be expected to be disclosed within an organisation will also be influenced by matters such as the size of the organisation and the functions of the individuals within the organisation (affecting their ‘need to know’). For example, in Complainant Q v Contracted Service Provider to a Department  VPrivCmr 3, the former Privacy Commissioner accepted that it was reasonably expected that a Human Resources Manager could pass on the outcomes of a criminal record check for a job applicant to two senior staff members with responsibility for supervision and management of the person’s work. A person’s reasonable expectation would be that the information would not flow outside the organisation, or to people within the organisation who did not have a ‘need to know.’
The actions of the individual in question
Individuals that disclose their own information in a public forum, for example, by talking to the media about a complaint they made about a public sector organisation, should reasonably expect that the public sector organisation will respond to media inquiries and may, in responding, disclose the person’s information in a proportionate manner. In Complainant Y v The Department  VPrivCmr 7 the former Privacy Commissioner stated:
I consider that an individual who speaks willingly to a journalist (whom s/he knows writes articles for publication), about matters that are to be the subject of a public tribunal process, would reasonably expect that the organisation complained about may also respond in public… An organisation may communicate with a number of media organisations to ensure its reputation and interests are protected, if each has picked up on a story and appears likely to publish on it, regardless of the fact that the story was initiated through one alone. Similarly, a respondent organisation may need to disclose to correct what the respondent may regard as inaccurate or misleading information disseminated by media outlets other than the outlet to which a complainant first spoke. A complainant who knowingly takes his or her complaint to ‘the court of public opinion’ reasonably expects that a respondent organisation will mount its defence in that same forum.
The individual’s expressed expectations
An individual’s desire to control the way in which an organisation uses or discloses their personal information must be balanced against other competing factors. For example, an organisation may be required to disclose an individual’s personal information under other legislation (see IPP 2.1(f)). Alternatively, it may not be practicable for an organisation to carry out a particular function such as investigating a complaint, without the disclosure of an individual’s personal information. However, when considering whether a particular use or disclosure is reasonably expected, the actual individual’s expressed expectations will be relevant (but not determinative). See also the discussion on sensitive and delicate information in the Key Concepts chapter for more information.
Reasonable expectation case studies
The following case studies provide examples of how VCAT and the former privacy commissioner have decided whether a use or disclosure of personal information is reasonably expected.
Case Study 2E: Disclosure by Council to Complainant’s bank during debt recovery proceedings reasonably expected12
The Complainant (A), was involved in a dispute with a Local Council (Respondent) concerning an outstanding debt. A provided an employee of the Respondent with information about payments he claimed he had made to pay the amount owing. The employee contacted A’s bank to confirm that the payment details were correct. The employee subsequently recorded details of the conversation in a letter to A.
Unable to resolve the dispute, the council commenced recovery proceedings in the Magistrates Court. At a pre-hearing conference the council employee disclosed to the Court details of the conversation between himself and the bank about the disputed debt.
A complained that the employee had unlawfully collected personal information about him by contacting his bank to verify the information given by A and had unlawfully disclosed the information collected to the Court.
In his decision not to entertain the complaint, the Privacy Commissioner noted that IPP 2.1 (a) permits an organisation to disclose personal information for a secondary purpose related to the primary purpose where a person might reasonably expect the disclosure to be made. The test is an objective one; it is the reasonable expectations of an ordinary person, not expert in the workings of government.
The disclosure of the personal information about A to an officer of a court in pursuit of the debt, at a pre-hearing conference, was related to the primary purpose of collection, and could reasonably be expected.
Case Study 2F: Disclosure of personal information to assess whether a student was committing plagiarism reasonably expected13
The Complainant was a student of a university (the University). Her course coordinator suspected her of plagiarism and sent an email (email) containing allegations about the Complainant to the acting heads of school and student progress coordinator.
VCAT held that the disclosure of the Complainant’s personal information in the email was for the primary purpose of collection. The Tribunal also considered whether the disclosure would have been for a secondary related purpose that was reasonably expected. VCAT found that the disclosure was related to the primary purpose of collection and that the Complainant would reasonably expect that the University would disclose suspicions that she had not submitted her own work.
VCAT set out a number of reasons: the course coordinator was required to report such suspicions under the University’s academic honesty policy; the course coordinator was responsible for managing the Complainant’s progress under the University’s assessment policy, including managing any issues arising from the possibility that she was submitting work that was not her own. The course coordinator did not disclose to mere ‘colleagues,’ but to those staff members with responsibilities in relation to a student’s progress under the University’s assessment policy; and it was reasonable to expect a course coordinator to inform the acting heads of school and student progress coordinator about such serious matters prior to a formal meeting and investigation.
Case Study 2G: Use and disclosure of personal information to update records reasonably expected14
The Complainant was first registered as a teacher by the Victorian Institute of Teaching (VIT) in 2003. One of VIT’s powers under the Education and Training Reform Act 2006 (the Education Act) is to maintain a register of teachers. In early 2009 VIT’s hearing panel found that the Complainant had engaged in serious misconduct and determined to cancel his registration. In late 2009, on appeal, VCAT confirmed the finding of serious misconduct but decided to set aside the panel’s decision about cancellation and instead suspended the Complainant’s registration until 2011. VCAT imposed conditions on the Complainant’s registration, which he had met when he was re-registered as a teacher in 2011.
In the period between his suspension in 2009 and re-registration in 2011, the Complainant twice changed his name.
Following the second name change, VIT updated an existing entry about the Complainant on its website. That entry summarised the conduct dealt with in the 2009 hearings and decisions. The update was to change the heading of the entry from the Complainant’s original name to that name together with his name as at July 2011.
The Complainant alleged that the VIT breached his privacy when it collected information about his changes of name and when it updated the 2009 web page.
VCAT found that VIT’s use of the Complainant’s personal information (updating the existing entry about his conduct to include his new name) was for the primary purpose of collection (to undertake its statutory functions under the Education Act). The Member also held that if the disclosure was not for the primary purpose, then it would be for a secondary related purpose that was reasonably expected:
A permissible secondary purpose of collecting the information was to update records which hold the complainant’s former name. A reasonable person ought to expect that, where he or she changes his or her name and provides it to an organisation such as the respondent, that new name will be used to refer to him or her. Here, the reasonableness of that expectation is supported by the complainant’s prior knowledge of the content of the 2009 web page … A reasonable person who has knowledge of the 2009 web page ought to expect that he will be referred to by his current name on such a page and that may be done in a way which identifies him with the existing records of his past conduct.15
Case Study 2H: Disclosure of personal information to third party in complaint handling matter not reasonably expected
A Complainant lived near a property owned by the Organisation, which had decided to hire the premises out as a venue. The Complainant had previously objected to this use of the premises due to noise he therefore made a complaint to the Organisation about its further hiring out of the venue. In response, the Organisation referred his complaint to the event organisers (who were organising an event of a ‘one off’ nature). The event organisers attempted to contact the Complainant at the Complainant’s property in order to apologise for the noise.
The Complainant was distressed by the disclosure of their personal information (contact details and complaint information) by the Organisation to the event organisers. Such a disclosure in these circumstances would not be reasonably expected because the Complainant had contacted the Organisation in order to complain, not about the individual event, but about the Organisation’s decision to allow the premises to be used as a private space for various events and the Complainant had expressed no interest in engaging with the event organisers. Given the event was a ‘one off’ any contact between the Complainant and the event organisers could not have resulted in a negotiation about future use of the premises.
Case Study 2I: Disclosure of contact information to third party in complaint handling matter not reasonably expected
The Complainant’s backyard was accidentally flooded by a contractor of the Organisation. The Organisation apologised but the Complainant remained dissatisfied.
Several days later the Complainant received a series of calls, some out of business hours, from a private number. The caller stated that they were one of the contractors who had accidentally flooded the Complainant’s yard. The Complainant was confused as to why the contractor was repeatedly calling. The Complainant told the contractor that they did not know each other and asked how the contractor had obtained the Complainant’s phone number. The contractor explained that the Organisation had provided the contractor with the Complainant’s phone number and that the contractor wanted to apologise for flooding the yard.
The use and disclosure of the Complainant’s contact information (by both the Organisation and its contractor) was not reasonably expected. Whilst the Complainant might have expected the Organisation (or its contractor) to contact the Complainant for certain purposes (such as facilitating any work required on the Complainant’s property), they did not expect a stranger to repeatedly contact them outside of business hours.
Case Study 2J: Disclosure of information relating to student’s PhD candidature16
A PhD student’s ongoing candidature was reviewed by a Tertiary Institution review panel. Having received unfavourable comments from the panel, the student asked his Masters thesis supervisor to review a draft PhD thesis. Prior to doing so, the thesis supervisor spoke to the PhD supervisor about whether the Master’s thesis supervisor should be revising the thesis, and was advised not to review the thesis as the student’s candidature had been terminated. The student complained about disclosure of information about his PhD candidature information to the thesis supervisor. The Privacy Commissioner found that the disclosure was reasonably expected:
It is necessary and appropriate that a PhD supervisor be able to give his or her opinion about whether as thesis supervisor should proceed to review a PhD thesis where the candidate has already been requested by a Review Panel to withdraw as a candidate for a PhD. A person would reasonably expect, absent special circumstances, that two academics with a close working relationship, from within the same department, who both at varying points in time supervised the same student, might discuss that student’s progression from a degree to a doctorate.
Case Study 2K: Disclosure of complaint details to employee complained of reasonably expected17
The Complainants had a son at a local kindergarten, operated by a Local Council. The complainants wanted to complain about fee advice given to them by their son’s kindergarten teacher. They were told to make a written complaint, which they did, and were told it would be kept confidential. The President of the kindergarten informed the Complainants’ letter to the kindergarten teacher, about whom the complaint related.
The former Privacy Commissioner considered the provisions of IPP 2 and stated:
Where a person raises a complaint with an organisation about the actions of a particular individual within that organisation, it is often necessary to seek a response from the individual who is the subject of the complaint in order to afford natural justice. “Natural justice” requires that where an allegation is made about an individual, and as a result it is proposed that action be taken against the person being complained about, it is only fair that that person be given a right of response in order for the complaint to be properly and fairly investigated.
In light of the particular circumstances of this complaint and despite the parties’ conflicting version of events, the allegations against the teacher could not have been adequately addressed unless the teacher was given an opportunity to respond. Therefore, showing the complaint to the teacher was arguably part of the primary purpose of collection, and in any event a related secondary purpose. A reasonable person in the complainants’ position should reasonably expect that in the interests of natural justice, where s/he has complained about a specific conversation held with a certain individual, that this individual would have to be consulted about the issue in order to ascertain whether or not there was any basis to the complaint
It would, however, have been best practice to inform the Complainants that if they proceeded with their complaint about the teacher, then the teacher would be given a copy of the complaint.
Limiting disclosure to what is sufficient
When disclosing under IPP 2.1(a), organisations should only disclose the amount of information sufficient to satisfy the related secondary purpose (see the following two Case Studies). Excessive disclosure is not reasonably expected.
Case Study 2L: Avoiding excessive disclosure when handling complaints 18
The Complainant complained that an employee (AC) had misused his position in the Organisation to obtain information about her, and other people, for a personal purpose. Following internal investigation and disciplinary proceedings, the Organisation informed the Complainant of the outcome of its investigation into AC as well as its findings about the wider allegations that other individuals’ privacy had been breached.
The Privacy Commissioner found that it was reasonably expected that the Organisation would provide sufficient information to the Complainant to show that the investigation of her complaint and outcome were fair. This ensured that organisations that deal properly with complaints and are seen to do so. However, the Privacy Commissioner considered that the disclosure of the results of the wider investigation appeared to involve more information than was sufficient to deal properly with the Complainant’s complaint. The Organisation acknowledged to AC that its disclosure was excessive and undertook to review its policies concerning the release of information to people who complain about its staff.
Case Study 2M: Avoiding excessive disclosure when handling complaints19
The Complainant was an employee of the respondent Organisation and made a bullying claim against co-workers. The complaint documentation consisted of a letter outlining the outcomes the employee sought, and a chronological list of all of the bullying incidents alleged to have occurred. The Complainant met with a staff member of the Organisation who explained the complaint process and advised that a full copy of the complainant documentation would be provided to each of the alleged bullies. The Complainant agreed to this in the belief that there was no other choice, but later attempted to withdraw her consent as she was anxious about the information contained in the complaint documentation. The Organisation advised that the documentation had already been forwarded to the alleged bullies.
In its response, the Organisation argued that even if it had received the Complainant’s withdrawal of consent prior to distribution, disclosing the complaint documentation – in full – was a necessary part of the investigation process. Further, the Organisation argued it was ‘not reasonably possible’ to edit the complaint documentation before distribution.
The Privacy Commissioner considered that the disclosure of the Complainant’s information in full to all of the alleged bullies was far more than what they needed to respond to the complaint about their own alleged behaviour. Disclosure of information should have been kept to the minimum necessary to investigate the matter and did not require the wholesale disclosure that had occurred in this instance. Similarly, the Privacy Commissioner considered that it was possible to edit the document provided in order to protect the Complainant’s privacy. She considered that an investigation process requires an Organisation to collate the information provided in a complaint and reasonably determine what needs to be disclosed to each staff member.
IPP 2 .1(b): Consent
Consent is one of the exceptions to the rule that personal information can be used and disclosed only for the purpose it was collected for. Organisations can seek consent from an individual to use or disclose information for unrelated or incompatible purposes with the primary purpose of collection. That is, purposes that fall outside the scope of IPP 2.1(a).
If an individual provides valid consent, then the organisation may use or disclose the personal information in a way that is consent with the consent. Please refer to the Key Concepts chapter for information regarding ‘valid consent’. The case study below highlights the importance of ensuring consent is valid.
Case Study 2N: ‘CP’ and Department of Defence20
The complainant had lodged a worker’s compensation claim with Comcare. Comcare required that the claim be assessed by an independent third-party medical practitioner. Although the complainant had previously consented to such disclosures, their consent could be withdrawn at any time.
The complainant had expressly refused permission for their case officer or any other Defence personnel to contact their medical practitioners. Defence personnel disclosed the third-party medical practitioner’s report to the complainant’s GP despite this.
The complainant alleged that that Defence had interfered with their privacy by disclosing sensitive personal information about them to a third party, their GP, without consent and after they had expressly refused to grant consent of the report to their GP. The complaint was upheld.
Sharing information where consent has not been provided
In cases where an individual has not provided consent to use or disclose their personal information, this will not necessarily mean an organisation will be unable to use or disclose the information. Other exceptions under IPP 2, such as disclosure authorised or required by or under law (IPP 2.1(f)), may allow a disclosure to proceed irrespective of whether the individual has consented.
Distinguishing consent from notice
Organisations must distinguish consent from notice (provided by a collection notice, under IPP 1.3). Often individuals have no real choice in a use or disclosure when transacting with government. In such circumstances, when the individual signs a form it is usually regarded as an acknowledgement that he or she has received notice. It is not ‘consent’ in the proper sense of the word. The differences between notice and consent are discussed further under Consent in the Key Concepts chapter.
Opting-in preferred approach for public sector
If an organisation is seeking to rely on consent as the authority to use or disclose information, it should be opt-in consent. The opt-in method demonstrates more reliably that the individual has actively consented compared to the opt-out method. For more information, the opt-in and the opt-out consent models are discussed in the ‘Opt In versus Opt Out’ section of Consent in the Key Concepts chapter.
IPP 2.1(c): Necessary for research or statistics in the public interest
IPP 2.1(c) allows for organisations to use and disclose personal information necessary for research or the compilation or analysis of statistics when three requirements are met:
- The research is in the public interest.
- The information is not for publication in a form that identifies any particular individual.
- It is impracticable for the organisation to seek the individual’s consent before the use or disclosure.
In the case of disclosure, the organisation must also reasonably believe the recipient of the information will not disclose the information.
Necessary for research or compilation or analysis of statistics
For organisations to use and disclose personal information under IPP 2.1(c), the use and disclosure must be necessary for the research or statistical work. Use or disclosure will not be necessary when the same research objectives can be achieved with alternative sources of data or data that has been de-identified or is anonymous. When developing research projects, organisations should consider if the same objectives could be achieved without using personal information.
Before organisations rely on IPP 2.1(c) to use or disclose personal information under IPP 2.1(c) (or for any project or initiative that poses a risk to the privacy of individuals) they should consider completing a privacy impact assessment (PIA). PIAs are a tool to assist organisations identify potential privacy risks and ways to mitigate them before personal information is handled.
‘‘Research’ is not defined in IPP 2.1(c). As such, the word should be given its ordinary meaning, that is, a systematic investigation and study which seeks to establish new facts and reach new conclusions. It is more than a reorganisation of data or restatement of facts. Research begins with a clearly defined goal and the information gathered aims to help reach that goal.
‘Statistics’ are numerical data, especially when large quantities are involved. Compilation is the collection of numerical data and analysis involves an undertaking of detailed examination of the data and inferring conclusions about the information or the set or a subset of data subjects.
Research ‘in the public interest’
Organisations can only rely on IPP 2.1(c) to use or disclose personal information for research or statistical work without individuals’ consent when the work is in the public interest.
To determine whether a proposal for research or statistical work is ‘in the public interest’, organisations should be explicit in their definition of the public interest and how the research promotes this public interest. Organisations should consider the following questions.
- Is the organisation considering the public interest as broader than its own needs?
- What is the public importance of the research?
- How will the wider community benefit from the research or statistical work? Will the community benefit, for example, by:
- gaining in greater knowledge, insight or understanding within fields such as science and humanities;
- the improvement of social welfare, public safety or individual well-being, or the minimisation of serious harm, or;
- the enhancement of the delivery of government services or the targeting of government funded welfare or educational services?
- Are there any countervailing interests to consider to balance the public interest in privacy and the public interest in the conduct of the research?
- Is there a cost to the community of not undertaking the research or statistical work?
- Are participants at risk of any harm (e.g., physical, emotional, social, economic or legal harm)? If so, what is the seriousness and likelihood of this harm?
The National Health Medical Research Committee has published Guidelines approved under s 95A of the Commonwealth Privacy Act 1988 . Although not directly applicable to the PDP Act, the Guidelines provide additional questions and considerations which may help an organisation determine whether their research is in the public interest.
A research ethics committee may also help an organisation assess whether the research involving personal information is in the public interest. Some organisations, such as universities, may be required due to their funding or other arrangements to consider the National Statement on Ethical Conduct in Human Research.21
Not for publication in a form that identifies any particular individual
To use and disclose personal information under 2.1(c), organisations must ensure the research or statistical work is not for publication in a form that identifies any particular individual. This means organisations should de-identify personal information prior to publication to ensure published material does not contain personal information. Organisations should not consider de-identification as a final end state. Instead, organisations should always consider the possibility of re-identification, especially when data is drawn from small communities or data sets. For more information, see ‘De-identification’ in Key Concepts.
‘Impracticable’ to seek consent
Impracticability means more than mere inconvenience or some cost or effort for a public sector organisation. The impracticability of seeking consent should not be confused with the undesirability of seeking consent. IPP 2.1(c) does not permit consent to be waived where consent can be readily sought but organisations would prefer not to do so in order to achieve greater participation. Impracticability must be assessed in context.
The quantity, age or accessibility of records may make it impracticable to obtain. 22According to the NHMRC’s National Statement on Ethical Conduct in Human Research, it is usually impractical to obtain consent from individuals for secondary use of information collected during the delivery of a service by a government department because the collection of information may involve large numbers of people or whole populations. For example, it may be impracticable to seek consent where the organisation is unable to locate the individual, despite making reasonable efforts.
Reasonable belief the recipient will not disclose information
In the case of disclosure only, there is an additional requirement: organisations must reasonably believe the recipient of the information will not disclose that information. To be able to demonstrate a reasonable belief under IPP 2.1(c)(ii), organisations should ensure they keep records of the following considerations (among others):
- Does the organisation reasonably believe that the recipient of the personal information will not further disclose the information?
- Have undertakings or agreements of confidentiality been sought?
Where the disclosure is outside of Victoria, have appropriate privacy protection measures been attended to in accordance with obligations under IPP 9? The following fictional case study illustrates the points that need to be considered by an organisation seeking to rely on IPP 2.1(c).
Case Study 2O: Personal information sought for research in the public interest
A research institution sought information from a local Council to conduct research relating to the State farming industry and livestock. The Council was asked to disclose information relating to historical land ownership and farming permits under local laws which contained personal information about past and present residents.
The institution’s ethics committee had considered the proposed research and decided that it was in the public interest.
The institution provided this Council with written confirmation it understood and agreed the information supplied was confidential, only for the purpose of the specified research and not to be published in any way that would allow identification of particular individuals.
The Council made records of its evaluation of the necessity of the information for the research. The information was not publicly available or easily ascertainable. It was impracticable to obtain consent because contact details in the historical land ownership records were out of date, in spite of reasonable efforts on the part of the Council and research institution to find them.
The disclosure of the information by the Councils was subject to a series of requirements:
- The information was to be used by the research institution only for the research in question.
- The information could not be retained by the research institution after the current research was completed.
- The information could not be supplied to any third parties.
- The published results of the investigation would contain no personal information.
The undertakings by the institution and the Council’s additional requirements for disclosure were sufficient in this case for the Council to demonstrate it had met its obligations under 2.1(c).
Other grounds which may permit research or compilation or analysis of statistics
The PDP Act facilitates the conduct of research in a number of ways which are not limited to the use and disclosure ground in IPP 2.1(c). Organisations should consider these alternatives before disclosing personal information to researchers or conducting research themselves. These include:
- using de-identified data
- where the research is related to the organisation’s functions or activities and is reasonably expected, organisations can rely on IPP 2.1(a) to make first contact with prospective participants on the behalf of the researcher. For example, a school may initiate contact with students and their families about education-related research. Here, the public interest in privacy and the public interest in research are balanced, by the organisation maintaining control over the information it holds and only disclosing identifiable details after consent has been obtained by those individuals wishing to participate in the research
- relying on the valid consent of an individual for the future use or disclosure for research or statistical work obtained when the personal information is collected (under IPP 2.1(b))
- the disclosure is necessary to lessen or prevent a serious threat to public health, safety or welfare under IPP 2.1(d)
- where the disclosure is required and authorised by law and 2.1(f) applies. For example, s 34 of the Electoral Act 2002 (Vic) expressly authorises disclosure of enrolment information in the public interest after consultation with the Information Commissioner.
Notification after use or disclosure and withdrawal
Where it is impracticable to seek consent before the research subject’s personal information is used, organisations may still notify the person after the use or disclosure. Notification is distinct from consent, but it does provide individuals with an opportunity to withdraw from further participation in the research study. This is consistent with ethical research standards supporting revocation of consent.
IPP 2 .1(d): Necessary to lessen or prevent serious threats to health or safety
IPP 2.1(d) allows use or disclosure to occur where the organisation reasonably believes it is necessary to lessen or prevent:
- a serious threat to an individual’s life, health, safety or welfare; or
- a serious threat to public health, public safety or public welfare.
This section requires two things of organisations which seek to rely on this exception for the use and disclosure of personal information. An organisation must form a reasonable belief there is a serious threat and it must believe the use or disclosure is necessary to lessen or prevent the threat. What an organisation believes on reasonable grounds ‘is very much a matter to be decided on the evidence of each case’.23To decide whether there are reasonable grounds for belief, organisations should consider the source and reliability of the information that indicates the threat and the seriousness of the indicated threat.24
Legislative reforms in 2017removed the word ‘imminent’ from IPP 2.1(d)(i). These reforms are discussed below under the heading ‘Removal of the word ‘imminent’’.
It is not enough for an organisation to form a reasonable belief there is a serious threat. IPP 2.1(d) also requires the organisation believe it is necessary to disclose information in order to lessen or prevent the threat. ‘Necessary’ in this context has been interpreted as ‘that which is … needed; essential; indispensable; that must be done’.25
In determining whether a use or disclosure might be regarded as necessary, organisations should consider:
- Is the use or disclosure motivated by an intention to lessen or prevent the threatened harm?
- Is the information being used or disclosed relevant to managing that threat?
- Where information is disclosed, is the recipient in a position to act on the information to lessen or prevent the harm from eventuating?
IPP 2.1(d) does not specify who can use the information or to whom it may be disclosed. In most cases, the recipient would need to be an appropriate agency in a position to lessen or prevent the particular threat. For example, and depending on the circumstances, appropriate recipients would be the police, emergency services or health authorities.
Case Study 2P: requirement for disclosure to be ‘necessary’ 26
The requirement for necessity was discussed in Director General, Department of Education and Training v MT (GD).27The Appeal Panel considered an equivalent provision under the New South Wales privacy legislation and found the disclosure was not ‘necessary’ to prevent or lessen the threat of harm.
A soccer coach was alerted to possible health concerns that might prevent a team member from playing in the team’s grand final game. The coach used his position as a teacher at the soccer player’s school to access her school records. After reading a medical report on her file, he approached the player and told her the club needed an indemnity from her parents in case she was injured. The next day, the player told the coach that on legal advice they refused to provide the indemnity. The coach contacted the president of the soccer club to say he had become aware of the player’s medical condition, he did not think she was match fit and others had told him she would end up in a wheel chair if she played. The club president approached the player and her mother at a soccer training session to express his concerns for the girl’s safety. According to the club president, the conversation ended with the mother becoming abusive. The player did not play in the grand final.
The NSW Administrative Decisions Tribunal Appeal Panel accepted the Tribunal’s earlier finding that the disclosure was not ‘necessary’ to prevent or lessen a threat of harm, as a letter from the coach had stated that the player’s health was not a reason to prevent her from playing soccer. The Appeal Panel found the coach’s disclosure to the club president was instead motivated by a concern to protect both himself and the club from any potential personal injury claims.
Whether or not a threat can be considered ‘serious’ for the purposes of the PDP Act and the HRA should take into account what a reasonable person would regard as ‘serious’. In making an assessment as to whether a threat is ‘serious’, organisations should consider the following factors:
- Severity – How significant are the consequences of the threat?
- Likelihood – What is the chance of the threat actually happening? What is the relative likelihood that harm will occur?
There are a range of other circumstances that may impact upon the seriousness of a threat. It may not be clear in all situations whether a threat is likely to ever happen or how severe the consequences might be for an affected individual. In these cases, organisations may wish to look at secondary factors applicable to the particular situation in making an assessment as to the severity and likelihood of the threat. These factors may include, but are not limited to:
- Timing – How soon is the threat likely to occur? Is the threat ongoing?
- Nature of the harm – What is the level of perceived harm to the individual? What type of harm is likely to result (e.g. physical, mental, financial)?
- Vulnerability – Considering the circumstances, how vulnerable might the affected individual be to the threat (e.g. is the victim a child?)
These secondary factors may not be relevant in every case, but in some situations, may assist in making an assessment as to whether a threat is ‘serious’. Seriousness should be determined on a case by case basis, as the circumstances surrounding a threat will differ.
Removal of the word ‘imminent’
Legislative reforms in 2017 removed the word ‘imminent’ from IPP 2.1(d)(i). Previously, organisations could only rely on this exception to disclose information in response to a threat that was imminent. While the legislative change in Victoria came about in the context of family violence prevention, the removal of ‘imminent’ has a broader application. The removal of ‘imminent’ means organisations need only establish a threat is serious, and that disclosure is necessary to lessen or prevent that threat is necessary, before relying on IPP 2.1(d)(i) to use and disclose personal information.
The following fictional case study illustrates the effect of this change:
A client of a health service is behaving aggressively and has made threats towards staff. The health service manager is considering whether to exclude the person from attending the health service in the future. The manager is aware that the client also receives services from another organisation, and is considering contacting the other organisation to seek information about the client that may justify excluding him from attending the health service. Previously, the manager may not have been able to collect the client’s health information from the other organisation unless the threat was expected to be carried out in the immediate future. Now, the manager can collect the information if the threat is serious and staff are at risk, even if the timing of a possible future incident is unknown.
Public sector employees acting on information obtained in their private capacity
Public sector employees may come across information in their private capacity that leads them to believe or suspect someone poses a serious risk to an individual’s or the public’s health, safety or welfare. Public sector employees may be tempted to use their privileged access to official information (such as criminal records or child protection files) to confirm their suspicions and decide to use or disclose the information in their private capacity. This situation may create difficulties for an organisation which has a function to protect the community from threats of harm but also has obligations to prevent sensitive information it holds from being used or disclose in an unauthorised manner. Organisations should balance all relevant interests including the protection of a well-meaning staff member from later accusations of wrongful use of databases.
Factors relevant to determining whether the official’s use or disclosure is necessary to lessen or prevent a serious harm might include:
- the reliability of the information obtained in the official’s private capacity;
- the seriousness of the potential harms;
- the degree of vulnerability of the potential victims (including whether they are in a position to recognise the threat themselves); and
- the involvement of an appropriate authorised person.
Anticipating the need to provide information during an emergency
Where there is a serious threat to public health or safety, for example, an infectious disease or large-scale evacuation, significant amounts of personal information could be required. Additionally, threats to health, safety or welfare in this context will generally require a fast and appropriate response from the organisation. Steps to ensure limited disclosure consistent with the circumstances should be developed by organisations prior to an emergency situation.
It is advisable to have and communicate a policy that covers the use and disclosure of personal information in the event of an emergency, so organisations can quickly and confidently handle a request for personal information.
Using or disclosing during emergency relief efforts
IPP 2.1(d) may also be relevant to information uses and disclosures after a disaster or accident has occurred to assist emergency services, for example, in locating victims and reuniting them with their family, ensuring victims receive medical attention and ensuring they have the opportunity to take advantage of various other forms of support (such as financial assistance and counselling). Such disclosures are likely to be permitted under IPP 2.1(d) as lessening or preventing serious harm to public welfare.
‘Public welfare’ in this context includes offering assistance to victims to assist the community more generally to overcome the effects of disasters and other trauma. It is legitimate for authorities to try to reach victims to offer support, however, authorities must also be aware not everyone responds to offers of support in the same way. Disaster victims can always decline offers of support made by or on behalf of government agencies and their wishes for no further contact should be respected.
IPP 2.1(e): Investigating suspected unlawful activity
Where an organisation has reason to suspect that unlawful activity has been, is being, or may be, engaged in, IPP 2.1(e) allows personal information to be used or disclosed:
- as a necessary part of the organisation’s investigation of the matter; or
- in reporting the organisation’s concerns to relevant persons or authorities.
This ground for use and disclosure should not be used lightly as it has serious privacy implications. It should not be used for speculative monitoring, surveillance or intelligence gathering. There must be a reasonable basis for suspecting unlawful activity. However, it is not necessary that unlawful activity has in fact occurred; even if the organisation’s suspicion eventually turns out to be unwarranted, disclosure will still have been authorised if the circumstances described in IPP 2.1(e) are met.28
The activity being investigated must be unlawful, not simply unethical or objectionable. Suspected breaches of the criminal law would fall within the meaning of ‘unlawful activity’.
Misconduct by public sector employees may also be considered unlawful if it contravenes a statutory secrecy or confidentiality obligation.
Misconduct may also be considered unlawful if it involves conduct that may result in the imposition of a penalty or other sanction, such as the types of misconduct29 set out in the Public Administration Act 2004 (see the following Case Study 2M for more information).
Case Study 2R: Disclosure during investigation of serious misconduct allegations30
The Complainant, an employee of the Organisation, was the subject of serious misconduct allegations. The Organisation disclosed personal information (including his bank account and holiday and sick leave details) about the employee to an external investigator for the purposes of enquiring into the alleged misconduct. The Organisation also appointed a review panel to independently assess the investigator’s report.
The Organisation argued that IPP 2.1(e) applied to its investigation of allegations of misconduct by the complainant because that conduct raised issues of breaches of the Code of Conduct provisions, given legislative force under the Public Sector Employment and Management Act 1998 (Vic) [which was later replaced by the Public Administration Act 2004 (Vic)], and section 95 of the Constitution Act 1975 (Vic).
The Privacy Commissioner considered that IPP 2.1(e) permits the use and disclosure of personal information at any stage of an investigation into serious misconduct for the purposes of determining whether the suspected activity is taking place. While noting that it is likely for disclosures during an investigation to involve a mix of personal information that may or may not be relevant to the investigation, in this case, the information was necessary to the investigation. Accordingly, the Privacy Commissioner declined the complaint on the basis that there had not been an interference with privacy.
However, to avoid future confusion, the Department decided to amend its serious misconduct policy to expressly state that an employee’s personnel file could be disclosed to an internal or external investigator for the purpose of understanding an allegation of serious misconduct.
In Kudleck v Victoria University (see Case Study 2D above), VCAT found that ‘unlawful activity’ does not include activities that may constitute disciplinary offences created through regulations made under Part 5 of the Victoria University Act 2010 – a regulation made under that Act is not a statutory rule under the Subordinate Legislation Act 1994 (Vic) nor a subordinate instrument for the purposes of s 32 of the Interpretation of Legislation Act 1984 (Vic). However, VCAT found that IPP 2.1(e) did not authorise the use or disclosure by Victoria University.
Investigation by the organisation
When an organisation proposes to use or disclose personal information in order to investigate suspected unlawful activity itself:
- any suspicion of wrongdoing should be based on reasonable grounds, not unsubstantiated gossip or rumour
- the use or disclosure must be considered necessary after due consideration of alternatives;
- the use or disclosure should be as confined as possible throughout the organisation’s investigation, both in terms of the number of individuals whose information is involved and the number of people who are given access to the information.
Personal information may be used or disclosed at any point during an investigation into unlawful activity or serious misconduct – see Case Study 2M above, exploring Complainant I v Department.31
Disclosure to relevant persons and authorities
When an organisation decides to report suspected unlawful activity, such use or disclosure should be limited to the persons or authorities with a need to know the information because they have relevant duties to perform in the circumstances. Examples include law enforcement organisations, an organisation responsible for the protection of public revenue, such as the State Revenue Office, or regulatory authorities such as the Food Safety Council.
Case Study 2S: Disclosure by law enforcement authority to a third party
In Zeqaj v Victoria Police (Human Rights)  VCAT 1733 (20 November 2018), the Complainant complained that the Respondent interfered with his privacy by disclosing his personal information to third parties.
The Complainant complained that the Respondent disclosed to the Australian Taxation Office (ATO) that he:
- was the subject of an investigation. This alleged inappropriate disclosure occurred when the Respondent sent a notice to the ATO requesting information about the Complainant in 2011; and
- had been identified as being involved in the cultivation, distribution and sale of cannabis. This alleged inappropriate disclosure occurred when the Respondent responded to a request for information about the Complainant from the ATO in 2012.
VCAT held the ATO disclosure was consistent with the Respondent’s primary purpose of collection of personal information under IPP 2.1. It noted that even if the disclosure was not consistent with the Respondent’s primary purpose, the disclosure would fall under the investigating unlawful activity exception [IPP 2.1(e)] or the required or authorised by law exception [IPP 2.1(f)].
Notice of disclosures under IPP 2.1(e)
Any organisation wishing to use or disclosure an individual’s personal information under IPP 2.1 should consider if it has taken reasonable steps to provide the individual with notice as required under IPP 1.3. Disclosures under IPP 2.1(e) are no exception. Relevant factors for consideration include:
- the source of the information – consider whether the information been obtained from a suspect, a victim or witness; and
- the nature of the unlawful activity – whilst the activity must be ‘unlawful’ (rather than simply objectionable or unethical, as discussed above), this will capture a broad range misconduct, some more serious or ‘sensitive’ than others.
The reasonableness of providing notice of a disclosure under IPP 2.1(e) needs to be determined on a case by case basis. It would be unreasonable to provide notice of an IPP 2.1(e) to a suspect. It may be reasonable to provide notice of an IPP 2.1(e) to a victim of an unlawful activity that is particularly ‘sensitive’ (e.g. sexual assault).
IPP 2 .1(f): Required or authorised by law
IPP 2.1(f) allows personal information to be used or disclosed for a purpose other than the primary purpose if such use or disclosure is required or authorised by or under law.
Required by law
‘Required by law’ means there is a legal obligation to use or disclose personal information in a particular way.32Words such as ‘must’ or ‘shall’ will indicate a requirement and may be accompanied by the presence of a sanction for non-compliance. ‘Requires’ includes demands or necessities and extends to warrants, court orders and statutory provisions.33 One type of statutory provision that is often relevant to IPP 2.1(f) is the power to demand the production of documents or information.
Case study 2T: ‘OJ’ and the Department of Home Affairs34
The Complainant made a complaint relating to disclosure of their personal information by the Department of Home Affairs (DHA), to the Department of Human Services Victoria (DHSV) and the Minister for Home Affairs, in responding to a request for information by the television show ‘A Current Affair’ (ACA).
The Complainant’s personal information including their immigration status was disclosed to the DHSV by DHA in response to a subpoena issued by the Federal Circuit Court. The disclosure of the Complainant’s personal information by the DHA was required by the the Federal Circuit Court of Australia Act 1999 (FCCA Act) and the Federal Circuit Court Rules 2001 (FCC Rules). These laws make it an offence to not comply with a subpoena. As a result, the Australian Information Commissioner found that there was no interference with the Complainant’s privacy as the the disclosure was required or authorised by or under law.
ACA had requested information in writing in relation to the Complainant’s circumstances and status of the deportation order against the Complainant (amongst other things). The ACA’s request for information included the Complainant’s name, the location of the detention centre that the Complainant was held in and details regarding their immigration visa status.
The request for information and the response prepared by the DHA’s Portfolio Media Unit was forwarded to the Minister for Home Affair’s media adviser.
The Information Commissioner was required to determine whether the DHA’s use of the Complainant’s personal information and disclosure to the Minister’s office was authorised or required by law.
The Commissioner found that it was necessary for the Department to disclose the information in the ACA request to the Minister’s Office, under s 57(2) of the Public Service Act 1999 (PS Act). Section 57(2)(b) requires the Secretary of a Department to advise the Minister about departmental matters.
In Dodd v Department of Education and Training,35 VCAT found that the Department’s disclosure of two documents to the Victorian Institute of Teaching (VIT) fell within IPP 2.1(f). The documents consisted of Mr Dodd’s exchange of letters with a teacher about the veracity of her evidence before a disciplinary hearing held by the Department in relation to the conduct of another teacher. VCAT found the disclosure was in accordance with s 27(2) of the Victorian Institute of Teaching Act 2001 which requires the Department to provide the VIT with any information the VIT might reasonably require to conduct its enquiry. The Department was acting under a mandatory duty to provide the information.
Authorised by law
The phrase ‘authorised by law’ refers to a law which permits the use or disclosure but does not make it compulsory.36 Words such as ‘may’ are indicative of this. An authorising power must be reasonably specific; a general power or function for ‘anything incidental’ would be insufficient.
Authorisation under law need not be confined to a specific statutory duty under an Act but may extend to other common law duties or authorities for disclosure, such as common law rules of evidence.
Case study 2U: disclosing information to court officers permitted37
In a pre-hearing conference, a Local Council disclosed personal information about the person bringing the action against the Council. The person claimed that the disclosure in the pre-hearing conference was an infringement of his privacy. The Local Council asserted that the disclosure was authorised by law under IPP 2.1(f).
The Privacy Commissioner determined that the law permits, and in some cases requires, persons to give information to officers of the court, or evidence to a court about matters relevant to a case. It is the person presiding over the pre-hearing conference or the hearing who decides what is relevant. Accordingly, the Privacy Commissioner considered the disclosure to be a permitted disclosure under IPP 2.1(f).
Administrative release of information under section 16(2) of the FOI Act
Section 16(2) of the FOI Act authorises organisations to make information (including documents that might otherwise be exempt under the FOI Act) available to the public informally, without requiring individuals to lodge a formal written request for access under the FOI Act, where the organisation can properly do so or is required by law to do so. This procedure for publishing or disclosing documents outside of the FOI Act is sometimes referred to as ‘administrative release’.38
Section 16(2) of the FOI Act only authorises disclosure where organisations can ‘properly do so’ or are required by law to do so. It would not be ‘proper’ to give access under s16(2) of the FOI Act where this would involve an unreasonable impact on the personal privacy of an individual or breach of some other legal obligation. Organisations should also consider whether it would be proper to release information having regard to:
- any relevant duties of confidentiality or statutory secrecy requirements; and
- existing legal obligations under the PDP Act not to disclose personal information about any person for a purpose other than the primary purpose of collection unless the disclosure is in accordance with IPP 2.1(a)-(h).
Disclosing only to the extent required or authorised
In some cases, the legislative authority behind the information request or demand may be conditional or limited in some way. For example, the legislation may require an investigation to be formally established before a demand for information can be issued to obtain information to assist in that investigation.
When disclosing information, it is important to disclose only information that is required by the request. There might be circumstances where information is privileged and therefore may not be disclosed. If required seek additional information from the requestor about the information being sought and the authority or requirement under legislation to collect the information, to ensure that the disclosure includes only what information is required under the request.
Case study 2V: publication of personal details in tribunal decision not authorised or required by law
In Tam Anh Le v Secretary, Department of Education, Science and Training  AATA 208, the AAT considered the federal equivalent to IPP 2.1(e) to determine how much information should be included in a published AAT decision. In that case, the applicant’s daughter was searching for her family name on the internet when she came across an AAT decision on AustLII. The decision related to her father’s application to the AAT to review a Department of Employment, Education and Training decision that he not be paid Austudy at the student homelessness rate. The decision revealed quite explicit details, including addresses of relevant persons and details of the applicant’s relationship with his parents.
The AAT considered principles of open justice and its statutory obligations under the Administrative Appeals Tribunal Act 1975 (Cth) to hear matters in public and to publish its reasons for decisions. The AAT found that its decisions need only publish as much of a person’s information as is necessary to disclose adequately the intellectual process that resulted in the particular decision.
In the applicant’s case, the AAT had gone beyond what was necessary to fulfil its obligations and may exercise its power under the AAT Act to restrict access to personal information. Accordingly, the AAT made an order to restrict publication of the addresses of the applicant and his parents as not being authorised or required under law.
IPP 2 .1(g): Reasonably necessary assistance for law enforcement and protection of public revenue
IPP 2.1(g) allows an organisation to use or disclose personal information where the organisation reasonably believes the use or disclosure is reasonably necessary for any of five specified purposes undertaken by or on behalf of a law enforcement agency.
The five specified purposes are:
- the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;
- the enforcement of laws relating to the confiscation of the proceeds of crime;
- the protection of the public revenue;
- the prevention, detection, investigation or remedying or seriously improper conduct; or
- the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
If an organisation uses or discloses personal information to assist law enforcement agencies for any of the above purposes, IPP 2.2 requires the organisation to make a written record of that use or disclosure. Please refer to the section discussing IPP 2.2 for further information.
Law enforcement agency
IPP 2.1(g) authorises disclosure to law enforcement agencies. ‘Law enforcement agency’ is defined in s 3 of the PDP Act. The definition specifically includes state and federal police; crime commissions and examiners; the Business Licensing Authority and the Special Investigations Monitor. The definition also includes agencies involved in the prevention and detection of crime, the release of persons from custody, the execution of warrants, the provision of correctional services, the management and seizure of property under confiscation laws and the protection of public revenue.
IPP 2.1(g) also authorises disclosure to persons who carry out any of the five functions (listed in the previous section) on behalf of a law enforcement agency. For example, this includes lawyers preparing matters for trial. The Explanatory Memorandum of the PDP Act says IPP 2.1(g) and (h) are intended to give latitude to organisations disclosing personal information to law enforcement agencies.
Reasonably believe that disclosure is reasonably necessary
Organisations are not prevented by the PDP Act from cooperating with law enforcement agencies. IPP 2.1(g) expressly authorises organisations to assist law enforcement agencies by providing information relevant to law enforcement functions. However, IPP 2.1(g) requires organisations to make a judgement about whether the use or disclosure is reasonably necessary in the circumstances. The tests of ‘reasonable belief’ and ‘reasonably necessity’ must be satisfied.
In Zeqaj v Victoria Police,39 VCAT held Victoria Police did not have reasonable belief the disclosure was reasonably necessary because they had not considered whether departure from the IPPs was reasonably necessary. VCAT required evidence of this reasonable belief being formed for IPP 2.1(g) to authorise the use of the personal information.
Organisations must ‘reasonably believe’ it is ‘reasonably necessary’ to disclose the information for one of the specified purposes in IPP 2.1(g)(i) – (v). IPP 2.1(g) requires the organisations to make a judgement in the circumstances as to whether the use or disclosure is necessary.
The organisation should also take steps to satisfy itself that use and disclosure is reasonably necessary for the specific law enforcement function. However, these steps do not need to be extensive .In determining when it is reasonably necessary to disclose, the Explanatory Memorandum to the PDP Act suggests: 40
Minimal information about the purpose of collection by the law enforcement agency would usually be enough to establish that the disclosure was ‘reasonably necessary.’
Further information on assessing a request is provided under the heading ‘Assessing a request for information for a law enforcement function’.
In some cases, organisations may determine it is inappropriate to release the information under IPP 2.1(g). This may be because they have not been persuaded that the information is necessary for one of the authorised purposes. Or the organisation may determine that, due to the sensitivity or volume of information requested, it would be more appropriate to withhold the information until and unless a warrant or other legal authority is produced.
Any use or disclosure of personal information under IPP 2.1(g) must be noted by the organisation in writing (see IPP 2.2).
Specified law enforcement purposes
Although the range of authorised recipients is broad, the authority to disclose under IPP 2.1(g) is limited. Use or disclosure must be tied to one of the five specified purposes, explained in more detail below.
IPP 2.1(g)(i): the prevention, detection, investigation, prosecution or punishment of crime and other breaches of the law criminal offences or breaches of a law imposing a penalty or sanction.
IPP 2.1(g)(i) allows information to be used or disclosed for the purpose of prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction.
A criminal offence is an act or practice that is prohibited by criminal law at Commonwealth, State or Territory level. ‘Penalty’ generally refers to a punishment, including a fine or monetary payment. ‘Sanction’ generally refers to some other legal requirement, order or action used to punish non- compliance with a law. Common sanctions include revocation of a licence, withdrawal of a benefit or disciplinary actions such as suspension or dismissal.
In Complainant AB v Victoria Police,41 fingerprints from applicants for firearms licences, such as the Complainant, were stored on the national fingerprints database and routinely compared to those found at crime scenes across Australia. The Privacy Commissioner decided that police can use the personal information of firearms licence holders for the investigation of criminal offences.
IPP 2.1(g)(ii): the enforcement of laws relating to the confiscation of the proceeds of crime
Laws relating to the confiscation of the proceeds of crime include the Confiscation Act 1997 (Vic) and comparable laws in other States, Territories and the Commonwealth. These laws allow for the seizure and confiscation of property and other proceeds derived from the commission of criminal offences.
In Victoria, the law which relates to the confiscation of the proceeds of crime is the Confiscation Act 1997. Asset Confiscation Operations is the business unit within the Department of Justice and Community Safety responsible for the confiscation and disposal of property connected to crime. The seizure and sale of personal goods or belongings derived from the commission of criminal offences is the responsibility of Victoria Police.
IPP 2.1(g)(iii): the protection of the public revenue
‘Public revenue’ refers to regular payments to Commonwealth, State, Territory and Local Governments, such as taxes (including excise and duties), levies, rates, application fees and charges. The term may not encompass fines enforcement, as fines are not regular payments made to a government agency. However, as discussed below, IPP 2.1(g)(v) may be a basis for use and disclosure in the fines enforcement context.
IPP 2.1(g)(iv): the prevention, detection, investigation or remedying of seriously improper conduct
‘Seriously improper’ is not defined in legislation. Instead, it can be interpreted as a higher standard of misconduct proportionate and reasonable in the circumstances. ‘Seriously improper conduct’ may include serious breaches of standards of conduct associated with a person’s duties, powers, authority and responsibilities. It includes corruption, abuse of power, dereliction of duty, and breach of obligation which warrant enforcement action from an enforcement body.
Activities or behaviours which constitute misconduct are sometimes set out in statutes that apply to specific organisations or the public service as a whole. For example, s 22 of the Public Administration Act 2004 (Vic) lists the types of activities that are regarded as ‘misconduct’ by public sector employees. This includes contravention of a binding code of conduct or use of position for personal gain.
A number of statutory agencies exist to investigate allegations of serious misconduct, particularly where they concern individuals engaged in regulated professions such as teachers, lawyers and health professionals.
IPP 2.1(g)(v): preparation and conduct of court or tribunal proceedings, or implementation of the orders of a court or tribunal
Use and disclosure under this heading would include proceedings in the courts and tribunals of Victoria, other States and Territories and the Commonwealth.
Uses and disclosures of personal information to a law enforcement agency that is empowered to implement the orders of a court or tribunal need a clear link to the order that is being enforced. Any disclosure should be limited in scope to what is necessary and relevant in each case. This ground should not be used as a basis for the bulk release of information about individuals who are not subject to the orders which are being enforced.
A record of a reasonable belief the disclosure is reasonably necessary should comply with the requirements of IPP 2.2.
IPP 2.2: Written notes of uses/disclosures under IPP 2.1(g) to law enforcement agencies
IPP 2.2 states that a written note must be made of any use or disclosure made under IPP 2.1(g) to a law enforcement agency. It does not specify what should be included in the note, but the note should include information that can assist in establishing the rationale and circumstances of the disclosure, so that if this information is requested in the future, it can be retrieved and provided.
The note should specify at least the following information:
- the personal information used or disclosed, with a copy of any material supplied;
- a copy of the request for the information;
- the law enforcement agency or agencies and their representatives’ names and the date that information was provided;
- the basis of the reasonable belief that the use or disclosure was reasonably necessary, taking care not to prejudice any investigation or proceeding including any supporting documentation used in making the decision to disclose the information; and
- the name and title of the decision-maker.
This information should be stored securely, especially if the information is sensitive, in accordance with IPP 4.1.
IPP 2 .1(h): Commonwealth security agencies
IPP 2.1(h) allows an organisation to disclose information to officers of the Australian Security Intelligence Organisation (ASIO) and the Australian Secret Intelligence Service (ASIS) where the agency has requested the information in connection with its functions and:
- the disclosure is made to an ASIO or ASIS officer or employee who is authorised in writing by the Director-General of ASIO or ASIS to receive the information; and
- the Director-General of ASIO or ASIS has also certified in writing that the disclosure would be connected with the performance by ASIO or ASIS of its functions.
Organisations complying with requests from ASIO or ASIS may wish to consider keep a record of the disclosure, in case the disclosure is queried, although this is not a requirement of the PDP Act.
Verifying the authority underpinning requests for information under IPPs 2 .1(f)-(h)
When dealing with a request for information or documents under IPPs 2.1(f)-(h), organisations should satisfy themselves that the request is legitimate and the requester is authorised to act on behalf of the organisation that has the authority or demand power. This may entail verifying the identity and authority of the person making the request, for instance by requiring a verbal or written confirmation from a more senior officer in the organisation. The requester should also be able to provide a specific reference to their legislative authority, for instance by stating the section in the relevant Act that they are relying on to authorise or demand the information being sought.
Organisations are not authorised by IPP 2.1(g) to simply hand over information on request. IPP 2.1(g) requires the organisation to make a judgement about whether the use or disclosure is reasonably necessary in the circumstances. See Dodd v Department of Education and Training (General)  VCAT 2207, where VCAT noted that a Department may need to give more consideration to relevance when exercising a discretion to release information under IPP 2.1(g) than it might when responding to a compulsory demand for information under IPP 2.1(f):
It is a central plank of Dr Dodd’s submissions that he considers the Department had a responsibility to consider the relevance of these two documents to the enquiry into [a fellow teacher’s] conduct when making the documents available to VIT [the Victorian Institute of Teaching, regulator of the teaching profession]. While that submission might have force if one were considering IPP 2.1(g), that is not the case with IPP 2.1(f).
Section 27(2) of the VIT Act requires the department to provide VIT with any information VIT might reasonably require to conduct its enquiry. The mandatory duty imposed on the Department is to provide information, nothing more. It does not impose a duty on the Department to consider matters such as relevance – that rests with VIT. And indeed it would be a strange state of affairs were it not so. VIT is given the power to inquire and it would be an extraordinary fetter on its task if it were only to be given the material the Department considered relevant to the task. VIT is not bound by the Department’s findings; it must consider the evidence afresh and come to its own conclusion. Furthermore the remedies available to it are not identical with those provided to the Department. In my view there is absolutely no foundation for suggesting that the department should consider the relevance of documents it makes available to VIT pursuant to the obligation cast on it by section 27.
When assessing whether to disclose information to a law enforcement agency, the organisation can take the following steps to assess whether the request is properly made:
- Consider if the information is to be released to an authorised member of a ‘law enforcement agency’ (as defined in section 3 of the PDP Act). Has the member’s identity and authority to make the request been verified?
- Consider if the information is relevant to one of the five purposes specified in IPP 2.1(g)? Has this use been confirmed by the law enforcement agency? What information has been provided to verify the information is to be used for the stated purpose?
- Contacting the law enforcement agency to verify the request and to establish what information is being requested, so only the required information is provided to prevent making an excessive disclosure
- Discussing the decision to disclose information with the appropriate staff within your organisation for example the legal department
- Ensuring that the information related to making the decision and related correspondence is stored appropriately (please refer to IPP 2.2).
Recording uses and disclosures of information under IPPs 2.1(e) – (h)
In the PDP Act there is only a requirement to record a note if a use or disclosure is made under IPP 2.1(g), which is stated in IPP 2.2. However decisions or queries may be made in relation to any use or disclosure under IPPs 2.1(e)-(h). Therefore it is recommended that any decision to use or disclose information under IPPs 2.1(e)-(h) be recorded, including the reasons for the decision made. For more guidance in relation to this please refer to IPP2.2.
- Little v Melbourne CC (General) (2006) VCAT 2190 , -.
- Johns ,  – . See also,  (Dawson J),  (Gaudron J),  (McHugh J).
- Ng v Department of Education  VCAT 1054 (6 June 2005) .
- Ng v Department of Education  VCAT 1054 (6 June 2005),  – .
- Complainant AB v Victoria Police  VPrivCmr 3.
- Complainant M v Tertiary Institution  VPriv Cmr 7.
- Complainant D v Minister  VPrivCmr 4.
- Ng v Department of Education  VCAT 1054 .
- Complainant H v Local Council  VPrivCmr 2 (26 February 2004).
- Link to IPP 1.3 section.
- Link to Key Concept ‘Reasonable.’
- Complainant A v Local Council  VPrivCmr 1 (17 March 2003).
- Kudleck v Victoria University (Human Rights)  VCAT 1971 (7 November 2013).
- Taylor v Victorian Institute of Teaching (Human Rights)  VCAT 1290 (3 May 2013).
- Ibid at  – .
- Complainant F v Tertiary Institution  VPriv Cmr 6 (1 December 2003).
- Complainant AG v Local Council  VPrivCmr 2 (8 June 2007).
- Complainant AC v Public Sector Body  VPrivCmr 4 (28 April 2006).
- Complainant AU v Public Sector Agency  VPrivCmr 3 (28 September 2011).
-  AICmr 88 (2 September 2014).
- National Statement on Ethical Conduct in Human Research (2007), updated 2018.
- National Statement on Ethical Conduct in Human Research (2007) – Updated 2018, Chapter 2.3.
- TYGJ and Information Commissioner, Re  AATA 1560  (which considered the equivalent provision under Commonwealth privacy law).
- TYGJ and Information Commissioner, Re  AATA 1560 .
- TYGJ and Information Commissioner, Re  AATA 1560 .
- Director General, Department of Education and Training v MT (GD)  NSWADTAP 77.
- Zeqaj v Victoria Police (Human Rights)  VCAT 1733 (20 November 2018) .
- Section 22 of the Public Administration Act 2004 (Vic) defines ‘misconduct,’ for which penalties (including a salary reduction, demotion, suspension or dismissal) may be imposed, to include: (a) a contravention of a provision of the Public Administration Act, the regulations or a binding code of conduct; (b) improper conduct in an official capacity; (c) a contravention, without reasonable excuse, of a lawful direction given to the employee as an employee by a person authorised (whether under this Act or otherwise) to give the direction; (d) an employee making improper use of his or her position for personal gain; (e) an employee making improper use of information acquired by him or her by virtue of his or her position to gain personally or for anyone else financial or other benefits or to cause detriment to the public service or the public sector.
- Complainant I v Department  VPrivCmr 4.
- In Secretary, Department of Premier and Cabinet v Hulls  3 VR 331 per Phillips JA at 342 suggested that “requires” means demands or necessitates.
- Zeqaj v Victoria Police (Human Rights)  VCAT 1733 (20 November 2018) .
- ‘OJ’ and the Department of Home Affairs  AlCmr 35 (19 March 2018).
- (General)  VCAT 2207.
- Zeqaj v Victoria Police (Human Rights)  VCAT 1733 (20 November 2018) .
- Complainant A v Local Council  VPrivCmr 1.
- See, for example, Victorian Ombudsman, Review of the Freedom of Information Act, discussion paper, May 2005, available at http://www. ombudsman.vic.gov.au, pages 44-46.
- Zeqaj v Victoria Police (Human Rights)  VCAT 1733 (20 November 2018).
- Privacy and Data Protection Bill 2014, Explanatory Memorandum, Schedule 1, p.35
-  VPrivCmr 3.