Use and disclosure of personal information
APP entities must ensure that they comply with all requirements relating to the use and disclosure of personal information.
The use of personal information occurs when an APP entity handles and manages that information within the entity’s effective control. This includes accessing and reading personal information, making a decision based on personal information and passing personal information from one part of the entity to another.
The disclosure of personal information involves:
making the information accessible or visible to others outside of the APP entity; and
the release of subsequent handling of the personal information from its effective control.
Whilst it is not uncommon for APP entities to engage sub-contractors to handle personal information on their behalf, regard must be had to whether this involves the use or disclosure of that information, as different obligations under the Privacy Act will arise. Whether or not the provision of personal information will constitute use or disclosure depends on the circumstances of each case, having regard to the degree of control over the data held by the APP entity. For example, if the second party can fully access and edit the information, the provision of the personal information constitutes disclosure under the Privacy Act and is subject to relevant notice and consent requirements.
Can personal information be disclosed overseas?
The Privacy Act does not prevent an APP entity from storing or processing personal information outside Australia, either by itself or through a third party service provider. The APP entity must comply with the APPs in sending personal information to an overseas cloud service provider or pursuant to any other overseas outsourcing arrangement.
Before disclosing personal information to an overseas recipient, APP 8.1 requires an APP entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. It is very important to comply with this requirement, as in some circumstances an act done by the overseas recipient that would breach the APPs is taken to be a breach of the APPs by the disclosing entity.
There are a number of exceptions to APP 8.1. For example, APP 8.1 will not apply where:
the entity reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is, overall, substantially similar to the APPs and there are mechanisms available to the individual to enforce that protection or scheme; or
an individual consents to the cross-border disclosure, after the entity informs them that APP 8.1 will no longer apply if they give their consent.
As set out above, an overseas transfer of personal information may not be a disclosure if the personal information at all times remains under the effective control of the APP entity.
Note also that some categories of personal information are subject to special or additional rules. Part IIIA of the Privacy Act regulates credit reporting and includes some restrictions on sending information held in the Australian credit reporting system overseas.
Can personal information be disclosed for marketing purposes?
The general rule is that an organisation that holds personal information about an individual must not use or disclose that information for the purposes of direct marketing. There are, however, three major exceptions to the general rule, each of which are set out in APP 7.
First, if the organisation has collected personal information (other than sensitive information) directly from the individual and the individual would reasonably expect the organisation to use or disclose the information for that purpose, it may be used or disclosed for direct marketing. The organisation must also provide a simple means of opting out of the direct marketing communications.
Secondly, if the organisation has collected personal information (other than sensitive information) from the individual in circumstances where he or she would not reasonably expect the organisation to use or disclose the information for that purpose, or has collected the information from someone other than the individual, it may be used or disclosed for direct marketing if:
the individual has consented to the use or disclosure of the information for that purpose or it is impracticable to obtain that consent;
the organisation provides a simple means of opting out of the direct marketing communications; and
in each direct marketing communication, the organisation includes a prominent statement that the individual may make such a request.
Finally, in the case of sensitive information, the individual must have consented to the use or disclosure of the information for that purpose.
Breach of Australian Privacy Principals
An act or practice of an APP entity that breaches an APP is considered ‘an interference with the privacy’ of the individual.
The Privacy Commissioner has significant investigation and enforcement powers in respect of interferences with the privacy of an individual. Where an individual makes a complaint, the Commissioner will generally attempt to conciliate the complaint, but it also has the power to:
seek civil penalties against an organisation for serious or repeated interferences up to $1.8 million; and
accept enforceable undertakings as to compliance with the Privacy Act.
The Privacy Commissioner also can and has sought orders requiring respondents to amend information handling procedures and to train staff in accordance with the revised procedures.
_______________________________________________________________________________________________________________________________________________________________
For more information, please contact Gavin McInnes on 07 3367 8681 or gmcinnes@grmlaw.com.au.
The information contained in this article is general in nature and cannot be regarded as anything more than general comment. Readers of this article should not act on the basis of this comment without consulting one of GRM LAW 's legal practitioners who will consider their particular circumstances.
Expertise
GRM LAW has a wide range of experience assisting companies in all aspects of business, corporate and IT law.
Not only will you find that GRM LAW is likely to have assisted someone in your exact situation, but you’ll find that a GRM LAW lawyer can distill a complex legal issue into a set of actionable options for you to consider.
