As most people know, the Privacy Act’s information privacy principles 10 and 11, relating to the use and disclosure of personal information that an agency holds, are subject to a range of exceptions:
- the agency got the information from a publicly available publication and, in the circumstances, it would not be unfair or unreasonable to use the information; or
- the individual concerned has authorised the use; or
- the use is necessary for a public sector agency to uphold or enforce the law, protect the tax base, or for the conduct of court or tribunal proceedings; or
- the use is necessary to prevent or lessen a serious and imminent threat to public health or safety, or the life or health of any individual; or
- the use is directly related to the purpose for which the information was obtained; or
- the information is used in a form in which individuals are not identified; or
- the information is used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify individuals; or
- the use is authorised by the Privacy Commissioner under section 54.
- the disclosure is in connection with, or directly related to, one of the purposes for which it was obtained
- the agency got the information from a publicly available publication
- disclosure is to the individual concerned
- disclosure is authorised by the individual concerned
- it is necessary for a public sector agency to disclose the information to uphold or enforce the law, protect the tax base, or for the conduct of court or tribunal proceedings
- disclosure is necessary to prevent or lessen a serious and imminent threat to public health or safety, or the life or health of any individual
- disclosure is necessary to facilitate the sale of a business as a going concern
- the information is to be used in a form in which the individual concerned is not identified, or is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned
- disclosure has been authorised by the Privacy Commissioner under section 54.
IPP exceptions are generally unbridled
In a minority of contexts, some of these exceptions are reined in, either by codes of practice under the Privacy Act (e.g., the Health Information Privacy Code) or specific legislative provisions that curb what might otherwise be permissible under these IPPs. However, in most contexts, the exceptions can be resorted to in a wide range of situations and in relation to a wide range of personal information, regardless of the information’s sensitivity. There is no general curb on an agency relying on any of them if, for example, the personal information happens to be particularly sensitive for the individuals concerned.
Now, in some situations, this is understandable. One is hard-pressed, for example, to argue against using or disclosing personal information to prevent prejudice to the maintenance of the law or to prevent or lessen a serious threat, regardless of the information’s level of sensitivity. However, there can be situations where an agency that is sharing personal information with another agency may wish to limit the extent to which the receiving agency can use the information it receives and the extent to which it can disclose it to others. This can involve constraining the receiving agency’s ability to rely on certain IPP exceptions.
The exception that often stands out to me is this exception (which is in both IPPs 10 and 11):
‘the information is used (IPP10) or is to be used (IPP11) for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned’
This is a broad exception. It’s capable of allowing researchers (for example) employed by an agency or working for an agency under a contract for services to see and use sensitive personal information for statistical or research purposes, and it’s capable of allowing an agency to disclose sensitive personal information to outside researchers for the same purposes, in each case as long as nothing is published in identifying form.
Let’s consider the implications
Think about this for a minute: a front-line agency or NGO (let’s call it Agency A) might collect and process sensitive personal information for a specific service-related purpose. In the normal course, unless an IPP11 exception or a specific statutory information sharing provision applies, Agency A ought not to disclose it to another agency (Agency B). However, as soon as Agency B has a statistical or research-related purpose for collecting and using the information (and assuming Agency A is willing to share the information), for Agency A the doors of IPP11 are thrust open. That statistical or research-related purpose is like a key that can unlock even sensitive personal information to the eyes of statisticians and researchers.
Of course, IPP1 ought to cause external researchers in Agency B to pause before collecting identifying information if identity-related information is not required for the function or activity they are performing (in which case the information should be requested in anonymised or de-identified form). Th Similarly, as a matter of good practice, Agency A should consider whether the personal information can be anonymised or de-identified prior to releasing it to Agency B in a manner that protects individuals’ privacy. However, the fact remains that there may be situations where Agency B will be able to say it’s reasonably necessary for it to be collecting the personal information in its identifying form. Once that point is reached, and assuming Agency A agrees, identifying personal information can be shared and that then raises the question of what Agency B might do with it. In addition to using the information for the statistical or research purpose for which Agency B collected it from Agency A, later in time Agency B might wish to use it for another purpose if an IPP10 exception applies. Agency B might also wish to disclose it to Agency C if an IPP11 exception applies, and then the issues as between Agencies A and B could be replayed as between Agencies B and C.
Similar issues can arise where Agency B has a broad statutory power to collect personal information from other agencies for particular purposes. Unless the statutory provision prohibits uses other than those for which the power is exercised, Agency B might be able to use the information for another purpose if permitted by an IPP10 exception or disclose it to another agency if permitted by IPP11.
Constraining the IPP exceptions
In these situations, the question becomes: can Agency A seek to constrain what Agency B does with the personal information that A shares with B, in a manner that constrains B’s ability to rely on IPP10 and 11 exceptions, and if so how?
The answer is, yes, A can seek to do this. A can seek to do this when B has no express statutory power to collect the information (i.e., where A and B are proceeding under the IPPs alone), and sometimes it can seek to do this when B does have an express statutory collection power (either because the statutory provision contemplates an MOU or agreement to regulate the sharing or because A and B agree that regulating the sharing is important), as long as the constraints imposed are not inconsistent with the statutory provision.
The means by which Agency A can seek to impose such constraints is an information sharing memorandum of understanding (MOU) or agreement. I’m not talking here about an Approved Information Sharing Agreement (AISA). AISAs can impose constraints, but I’m talking here about MOUs and agreements that are entered into where Agency A can share personal information with Agency B without an AISA and where no AISA is put in place to regulate the sharing.
It’s all well and good to talk about adding such constraints to an information sharing MOU or agreement, but how do you draft them?