5. UPP 5: Use and disclosure

Updates and background for this project (Digest)

• Introduction
• ALRC Report 108
• Consultation paper 3
• The Commission’s conclusions

5.1 The focus of use and disclosure privacy principles is to ensure that an agency does not, broadly speaking, use or disclose personal information for a purpose other than the one for which it was collected.

Use

5.2 Under PPIPA, use of personal information is regulated by s 16 and s 17 (IPPs 9 and 10). These provide, respectively, as follows:

• An agency must not use personal information without taking reasonable steps to ensure that it is relevant, accurate, up to date, complete and not misleading.¹
• The information can only be used for the limited purpose for which it was collected, for a directly related purpose, or for a purpose for which consent has been given. It can be used without consent only if necessary to prevent or lessen a serious and imminent threat to a person’s health or safety.²

• the individual has consented to the secondary use;
• there is a serious and imminent threat to life, health or safety, or a serious threat to public health or safety;
• it is reasonably necessary for management of health services, or for training or research;
• it is to find a missing person;
• it is to investigate suspected unlawful activity, unsatisfactory professional conduct or breach of discipline;
• it is reasonably necessary to exercise law enforcement, complaints-handling or investigative functions; or
• it is prescribed by the regulations.

5.4 Disclosure of personal information is dealt with in s 18 and s 19 of PPIPA (IPPs 11 and 12). IPP 11 deals with disclosure of personal information generally and IPP 12 deals with disclosure of information “relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities” (“sensitive information”).

5.5 IPP 11 prevents disclosure to a person or body other than the individual to whom the information relates unless:

• the agency has no reason to believe that the individual would object to the third-party disclosure, and it is for a purpose directly related to the purpose for which the information was collected;³
• the individual is aware, or is reasonably likely to have been aware, that the third-party disclosure is usual practice;⁴ or
• the disclosure is necessary to prevent or lessen a serious and imminent threat to life or health.⁵

5.7 In relation to all personal information, sensitive or otherwise, disclosure is not permitted outside NSW or to a Commonwealth agency unless there are reciprocal privacy laws in place to protect the information, or the disclosure is permitted under a privacy code of practice.⁷

5.8 Disclosure of health information is dealt with in HPP 11. The provisions of HPP 11 mirror HPP 10 (use of information).⁸ As with use of health information, disclosure of health information is only allowed for the purpose for which it was obtained, or a directly related purpose if this is reasonably envisaged by the individual to whom the information relates. There are then 11 exceptions to this principle identical to the 11 exceptions contained in HPP 10. An additional exception not present in HPP 10 allows disclosure to an immediate family member for compassionate reasons.

ALRC REPORT 108

5.9 In Report 108, the ALRC recommended that the UPPs “contain a principle called ‘Use and Disclosure’ that sets out the requirements on agencies and organisations in respect of the use and disclosure of personal information for a purpose other than the primary purpose of collection”.⁹ This reflects the approach of the NPPs in that just one principle applies to use and disclosure of personal information by Commonwealth organisations.¹⁰ It does, however, depart from the existing Principles, which regulate use and disclosure of personal information by Commonwealth agencies in two separate principles.¹¹

Model Unified Privacy Principle 5

5.10 The ALRC formulated a ‘Use and Disclosure’ principle that contains eight circumstances in which an agency or organisation can use or disclose an individual’s personal information for a purpose other than the primary purpose of collection (a secondary purpose). The proposed UPP 5 provides as follows:

5.1 An agency or organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection (the secondary purpose) unless:

(a) both of the following apply:

(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and

(ii) the individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose;


(b) the individual has consented to the use or disclosure;

(c) the agency or organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to:


(i) an individual’s life, health or safety; or

(ii) public health or public safety;


(d) the agency or organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities;

(e) the use or disclosure is required or authorised by or under law;

(f) the agency or organisation reasonably believes that the use or disclosure is necessary for one or more of the following by or on behalf of an enforcement body:


(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal;


(g ) the use or disclosure is necessary for research and all of the following conditions are met:

(i) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the use or disclosure;

(ii) a Human Research Ethics Committee that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), as in force from time to time, has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act;

(iii) the information is used or disclosed in accordance with Research Rules issued by the Privacy Commissioner; and

(iv) in the case of disclosure—the agency or organisation reasonably believes that the recipient of the personal information will not disclose the information in a form that would identify the individual or from which the individual would be reasonably identifiable; or


(h) the use or disclosure is necessary for the purpose of a confidential alternative dispute resolution process.

5.2 If an agency or organisation uses or discloses personal information under paragraph 5.1(f) it must make a written note of the use or disclosure.

5.3 UPP 5.1 operates in respect of personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

Note 1: It is not intended to deter organisations from lawfully cooperating with agencies performing law enforcement functions in the performance of their functions.

Note 2: Subclause 5.1 does not override any existing obligations not to disclose personal information. Nothing in subclause 5.1 requires an agency or organisation to disclose personal information; an agency or organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

Note 3: Agencies and organisations also are subject to the requirements of the ‘Cross-border Data Flows’ principle when transferring personal information about an individual to a recipient who is outside Australia.

5.11 The current Principle 10, Limits on use of personal information, provides that:

1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:

(a) the individual concerned has consented to use of the information for that other purpose;

(b) the record keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;

(c) use of the information for that other purpose is required or authorised by or under law;

(d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or

(e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.


2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record keeper shall include in the record containing that information a note of that use.

1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

(a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;

(b) the individual concerned has consented to the disclosure;

(c) the record keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.


2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record keeper shall include in the record containing that information a note of the disclosure.

3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

• the individual consents;
• a law requires or authorises the use or disclosure;
• it is for law enforcement purposes; or
• it is to prevent or lessen a serious and imminent threat to the life or health of the individual or another person.

5.15 UPP 5 similarly allows use or disclosure for a secondary purpose if the individual consents; or a law requires or authorises the use or disclosure; or it is for law enforcement. UPP 5 is, however, far more comprehensive in relation to use for law enforcement purposes than Principles 10 and 11.

5.16 UPP 5 differs from Principles 10 and 11 in the following respects. Secondary use is allowed:

• to lessen or prevent a serious threat (imminent is not specified) to an individual’s life, health or safety; or public health or safety; or
• if related to the secondary purpose – it need only be directly related if the information is sensitive – and the individual would reasonably expect such use or disclosure.

• as part of an investigation into, or reporting of, unlawful behaviour;
• where necessary for research; or
• where necessary in an alternative dispute resolution process.

• NPP 2 contains clauses dealing specifically with direct marketing¹² and genetic information whereas UPP 5 does not refer to either.¹³
• The exception in NPP 2 for research, including compilation and analysis of statistics, is specifically in relation to health information and research relevant to public health or safety. Contrast UPP 5, which applies to research generally. Also, the three conditions that must be met under NPP 2.1(d) differ from the four conditions set by UPP 5.1(g). Under NPP 2.1(d), it must be impracticable to obtain consent to the use or disclosure; under UPP 5.1(g) it can be impracticable or unreasonable. Under NPP 2.1(d), the organisation must believe that there will not be further disclosure by the recipient; under UPP 5.1(g) the agency or organisation must believe that there will not be further disclosure by the recipient in a form that would or could identify the individual. Use or disclosure under NPP 2.1(d) must be in accordance with guidelines approved by the Privacy Commissioner; use or disclosure under UPP 5.1(g) must be in accordance with Research Rules issued by the Privacy Commissioner. A significant departure in UPP 5 is the inclusion of a condition that the public interest in the research activity must outweigh the public interest in the privacy of the information.
• Information can be used or disclosed under NPP 5 to prevent a serious and imminent threat to life, health or safety; whereas under UPP 5, the threat need only be serious.
• UPP 5 provides for use or disclosure of information for alternative dispute resolution whereas NPP 2 does not.

One principle

5.19 In Report 108, the ALRC noted that the majority of submissions addressing this issue supported a single principle dealing with use and disclosure.¹⁴ The Office of the Privacy Commissioner reflected many of the reasons given:¹⁵

[A single use and disclosure principle] would assist in providing a consistent approach for the handling of personal information and may go some way to alleviating the confusion that surrounds identification of whether certain activities and information handling practices are considered a “use” or a “disclosure” and which provisions should apply.¹⁶

5.21 The ALRC agreed with submissions that a single principle would reduce complexity and confusion, providing it was clear that the two concepts were not thereby conflated and that agencies and organisations must continue to understand what actions constitute a use or disclosure.¹⁸ The ALRC also noted that one principle was consistent with the process of consolidating the Principles and NPPs into a single set of principles.¹⁹

Form of the principle

5.22 Use or disclosure for a secondary purpose. The majority of submissions to the ALRC’s DP 72 supported allowing use and disclosure for a secondary purpose if that was related to the primary purpose, or directly related in the case of sensitive information, and the individual would reasonably expect the agency to use or disclose the information for the secondary purpose.²⁰

5.23 Reasons for support included that this would provide more flexibility in the use of information than currently available under Principle 10,²¹ while still maintaining the necessary level of privacy protection.²² It was also seen as providing a better safeguard of privacy than the current Principle 11, which allows disclosure by an agency for any unrelated purpose if the individual is informed.²³ Other submissions observed that the recommended approach has been operating effectively, “balancing privacy and operational requirements”, in the private sector.²⁴

5.24 Not all submissions agreed with the proposed form of UPP 5. The Public Interest Advocacy Centre argued that there should be a direct relationship between the secondary and primary purpose for both sensitive and non-sensitive information before use or disclosure could be allowed. It pointed out that “most Australians have a high level of concern about use of their personal information for a purpose other than the original purpose”.²⁵ The Australian Taxation Office argued that the “reasonable expectation” test would make the use principle difficult to apply.²⁶

5.25 The ALRC agreed with submissions that an approach that has worked well in the private sector should be extended to the public sector.²⁷ It concluded that the proposed two-pronged test, requiring a relationship between the secondary and primary purposes and reasonable expectation of such use or disclosure, achieves an appropriate level of privacy protection. It rejected applying the “direct relationship” test to non-sensitive information as being too onerous for organisations and having the potential to hamper legitimate health and other research.²⁸ It noted that the less stringent test was balanced by the additional protection offered by the “reasonable expectation” test.²⁹

5.26 The ALRC was also of the view that the existing approach of Principle 11, which allows an agency to disclose personal information merely on the basis that the individual was reasonably likely to have been aware, or made aware, that information of that kind is usually disclosed to a particular entity, was unsatisfactory.³⁰ It pointed out that an individual could be told after his or her personal information had been collected that it would be disclosed to another and that the disclosure need not have anything to do with the reason for collection of the information in the first place.³¹ UPP 5 seeks to remedy this situation.

5.27 Threat to life, health or safety. The ALRC received a large number of submissions arguing that a threat to life, health or safety should not need to be both serious and imminent before information can be used or disclosed for a secondary purpose.³² It was argued that this hinders agencies in doing what is necessary to meet a credible threat; that they may err on the side of caution, which may not be in the best interests of those affected by the threat; and that an assessment of the seriousness and imminence of the threat may only be possible if the relevant person has the information in hand – a “Catch 22” situation.³³

5.28 Other reasons given in support of eliminating the “imminent” requirement were that the requirement: “creates additional interpretive uncertainty”; may fuel escalation of a crisis; can be difficult to establish because the information about the extent and nature of a threat is held by another party”;³⁴ makes the exception too narrow to be effective; and that its removal would make the test consistent with confidentiality provisions in social security and family assistance legislation.³⁵

5.29 Submissions opposing removal of the “imminent” requirement argued that this would lower privacy protection and deny individuals “the opportunity to exercise an appropriate degree of control over the disclosure of their personal information”.³⁶ It was also argued that “a ‘serious threat’ may create ambiguity and be difficult to apply; and ‘serious’ may not be interpreted as implying a consideration of consequence and likelihood, as suggested in DP 72”.³⁷ The Cyberspace Law and Policy Centre submitted that it would be “very dangerous” to remove the “imminent” requirement in regard to threats to public health or safety because it would open the way for claims to be made under a wide range of law enforcement and welfare programs, “including high-volume data-matching and data linkage projects”. In the Centre’s view, this was “clearly never the intention of Parliament”.³⁸

5.30 The ALRC concluded that the current requirement that the threat be not only serious but also imminent “sets a disproportionately high bar”.³⁹ This creates particular problems where there are compelling reasons to use or disclose information but it is impracticable to obtain the individual’s consent. In any case, the assessment of whether a threat is serious involves assessment of the likelihood of its materialising.⁴⁰ The ALRC pointed out that its formulation of UPP 5 contains important safeguards, in particular, the need for an agency or organisation “to have reasonable grounds for its belief that the proposed use or disclosure is essential”.⁴¹ This, it concluded, forms an appropriate balance with the public interest in averting threats to life, health and safety.⁴²

5.31 Unlawful activity. When the Privacy Act was amended in 2000,⁴³ a new exception to NPP 2 relating to unlawful activity was added.⁴⁴ The Explanatory Memorandum to the amending Bill stated that the exception “explicitly acknowledges that one of an organisation’s legitimate functions is to investigate, and report on, suspected unlawful activity relating to its operations”.⁴⁵ However, the wording of NPP 2.1(f) does not specifically confine the unlawful activity being investigated or reported by the organisation to activities within, or related to, the organisation. The Office of the Federal Privacy Commissioner guideline states that “ordinarily but not in all cases, the suspected unlawful activity would relate to the organisation’s operations”.⁴⁶ UPP 5.1(d) adopts NPP 2.1(f) with the wording unchanged (other than extending its application to agencies).

5.32 Submissions to the ALRC’s DP 72 did not oppose extending NPP 2.1(f) to the public sector.⁴⁷ Both the Department of Foreign Affairs and Trade and Centrelink suggested that the exception be expanded to include investigations of serious misconduct.⁴⁸ The Office of the Federal Privacy Commissioner suggested that “relevant persons or authorities” be “identified as being explicitly linked to the investigation”, otherwise the exception could be too broadly interpreted.⁴⁹ No issue was raised in DP 72 as to whether the unlawful activity should relate to the organisation’s or agency’s operations.

5.33 The ALRC did not see a need to include a reference to “serious misconduct” for two reasons.⁵⁰ First, the Office of the Federal Privacy Commissioner has interpreted “investigation” to include investigation of professional misconduct.⁵¹ Secondly, UPP 5.1(f) authorises use and disclosure by or on behalf of a law enforcement body to prevent, detect, investigate or remedy serious misconduct.

5.34 Law enforcement. In UPP 5.1(f), the ALRC has favoured the more comprehensive law enforcement exception of NPP 2 over Principles 10 and 11 because “[it] canvasses with greater precision the legitimate areas of law enforcement and regulation that warrant the authorisation of secondary use and disclosure of personal information” and because it promotes clarity.⁵² The ALRC also concluded that the exception should not be limited to existing investigations but should allow for enforcement agencies initiating investigations in the public interest.⁵³

5.35 Alternative dispute resolution. The ALRC has recommended the inclusion of a new exception relating to alternative dispute resolution (“ADR”) as this recognises the increasing significance of the role of ADR in the formal justice system as well as more broadly across commercial sectors and the community.⁵⁴ Without this exception, privacy legislation could obstruct the information exchange necessary to the resolution of disputes through ADR.

5.36 Missing persons. The ALRC also considered inclusion of an exception relating to missing persons but ultimately rejected this. It acknowledged that the subject raised complex issues and competing policy considerations, potentially applying to persons who in fact did not want to be found, such as in situations of family breakdown or domestic violence, and whose privacy could be seriously infringed.⁵⁵ On balance, the ALRC was of the view that where an agency or organisation had a legitimate reason to search for a missing person, the other exceptions to the use and disclosure principle should be used or a public interest determination sought.⁵⁶

CONSULTATION PAPER 3

5.37 In CP 3,⁵⁷ we raised a number of issues in relation to the operation and framework of IPPs 9 and 10 and HPP 10. The preliminary question, similarly raised by the ALRC, was whether the separate principles governing use and disclosure should be merged into one. Other issues, although specifically raised in relation to IPPs 10 and 11 and HPPs 10 and 11, are relevant to UPP 5 and are examined in paragraphs 5.38-5.57 for their bearing on UPP 5.

One principle

5.38 Issue 36 asked:

(a) Should “use” and “disclosure” be treated as one concept such as “processing”, or as a combined phrase such as in the proposed UPP 5, with the one set of privacy standards and exemptions applying?

(b) Alternatively, should the same privacy standards, and exemptions from those standards, contained in the HPPs apply equally to “use” and “disclosure” of information?⁵⁸

Form of the principle

Use or disclosure for a secondary purpose

5.40 As set out above, UPP 5.1(a) allows use and disclosure of information for a secondary purpose if: the secondary purpose is related, or directly related in the case of sensitive information, to the primary purpose; and the individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose. IPP 11.1(a) allows information to be disclosed to a third person “if the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure”. IPP 11.1(b) allows third party disclosure if the individual “is reasonably likely to have been aware, or has been made aware … that information of that kind is usually disclosed” to the third party. No mention is made in IPP 11.1(b) of a relationship between the purpose for collection and the purpose for disclosure to another.

5.41 CP 3 raised an issue in relation to IPP 11.1(b) that should be tested against UPP 5.1(a). The Commission asked whether IPP 11.1(b)⁶² should be amended to include the phrase “and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure”.⁶³ The question relevant to UPP 5.1(a) is whether it is sufficient that the individual would reasonably expect an agency to use or disclose his or her information for the secondary purpose, or whether the agency should also demonstrate that it has no reason to believe that the individual would object to the use or disclosure.

5.42 The Australian Privacy Foundation and the Cyberspace Law and Policy Centre submitted that there should not be an exception to the ‘Use and Disclosure’ principle based solely on awareness.⁶⁴ They favoured the approach of UPP 5.1(a) pursuant to which the test is positive and objective, namely whether “the individual would reasonably expect”, rather than negative and subjective, namely that “the agency has no reason to believe the individual would object”. The NSW Department of Corrective Services did not think that the further test of the agency’s belief that the individual would not object should be added.⁶⁵ The Law Society of NSW thought it should. However, as the Australian Privacy Foundation and the Cyberspace Law and Policy Centre pointed out, there is a distinction between an individual being aware, or made aware, that information is usually discussed, and what use and disclosure could reasonably be expected. It is uncertain whether the Law Society’s response would be the same if the issue were tested against the wording of UPP 5.1(a).

Relevant purpose

5.43 Issue 37 asked:

Is the correct interpretation of IPPs 10 and 11 and HPPs 10 and 11 that the relevant purpose is the one for which the agency/organisation collected it? If so, should the provisions be amended to clarify this?

5.45 Submissions addressing Issue 37 all agreed that the correct interpretation is that “primary purpose” is the purpose for which the agency collected the information, whether from the individual or a third party.⁶⁷ Both the Law Society of NSW and the Cyberspace Law and Policy Centre submitted that this should be clarified in the legislation.⁶⁸ In addition, the Cyberspace Law and Policy Centre was of the view that the term “collected” could limit the operation of the principle because personal information can be created by an agency without going through a process that could be described as collection. It suggested substituting a more neutral term such as “obtained”.

Unsolicited information

5.46 Issue 38 asked whether IPPs 10 and 11, and HPPs 10 and 11, apply to unsolicited information, and, if not, whether they should apply. All submissions addressing this issue thought that the ‘Use and Disclosure’ principles should apply to unsolicited information,⁶⁹ the Law Society of NSW stating that they do not presently apply.⁷⁰

5.47 The ALRC has recommended that, if an agency receives unsolicited information, it must either destroy the information (if lawful and reasonable to do so) without using or disclosing it, or otherwise comply with all relevant UPPs as if the agency had actively collected the information.⁷¹ In CP 3, the Commission asked whether the NSW privacy principles should include a principle in terms identical, or equivalent, to the proposed UPP 2.5 (as it was then numbered in the ALRC’s DP 72).⁷² The Commission discusses the proposed UPP in Chapter 2 and notes that all responses to Issue 38 supported the ALRC’s approach. The Commission supports the inclusion of UPP 2.4 in privacy legislation.⁷³

Sensitive information

5.48 CP 3 raised two issues relating to the disclosure of sensitive information under PPIPA, one of which does not arise under UPP 5 because of the different approach of the Privacy Act, and one of which is relevant to UPP 5.⁷⁴

5.49 Section 19(1) of PPIPA imposes higher standards for disclosure of “personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities”. The Commission describes this in CP 3 as “sensitive information”, although this is not a phrase formally defined in PPIPA. CP 3 asked whether a person’s criminal history and record should be included as sensitive information⁷⁵ and whether what is meant by “sexual activities” should be clarified.⁷⁶ These issues were not raised by the ALRC in relation to the UPPs as the Privacy Act defines “sensitive information” to include an individual’s criminal record and an individual’s “sexual preferences or practices”.⁷⁷ The question that arises in relation to UPP 5 is whether “criminal history” should be included with “criminal record” as sensitive information.

5.50 Submissions addressing Issue 41 were divided in their views. The Australian Privacy Foundation, the Cyberspace Law and Policy Centre, the Inner City Legal Centre, the Law Society of NSW, Privacy NSW and the Intellectual Disability Rights Service all believed that criminal history and record should be included in the sensitive information given higher protection from disclosure.⁷⁸ The Australian Privacy Foundation and the Cyberspace Law and Policy Centre submitted that “criminal record” alone, as used in the Privacy Act, is too narrow as it can be interpreted to exclude information about arrests, charges, and so forth, that do not result in formal criminal records.⁷⁹ The phrase “criminal history” defined to include criminal records and other involvement with the criminal justice system is preferable. Privacy NSW commented that criminal record information is highly personal and has the potential to give rise to unjustified discrimination against individuals.⁸⁰

5.51 The Intellectual Disability Rights Service went further in submitting that information about the criminal history and record of a person with intellectual disability should not be disclosed unless that person has expressly consented, or it is required for legal proceedings or by law, or it is necessary to prevent a serious and imminent threat to life or health.⁸¹ The Service submitted that:

Given that people with intellectual disability are recognised under NSW criminal law statutes as having reduced culpability where certain conditions are met, it would be unfair to have their criminal records disclosed on the same basis as persons without a cognitive disability …⁸²

5.53 The NSW Department of Corrective Services opposed applying special restrictions to the disclosure of a person’s criminal history and record on the basis that this would impede the Department’s role in helping an offender to adapt to community life, such as in finding appropriate employment.⁸⁴ The Department has a duty of care to ensure that individuals in the community are not unfairly placed at risk, which occasionally requires disclosure of this kind of information. If it were to be defined as “sensitive information”, the Department submitted that an exemption for law enforcement agencies, or just the Department, would be necessary.

5.54 There was unanimous support for clarifying the meaning of “sexual activities” in s 19(1) of PPIPA.⁸⁵ Adopting the phrase “sexual orientation and practices” used in the Privacy Act was favoured. However, the Department of Corrective Services submitted that it should be exempted from compliance with stricter disclosure rules as it is sometimes required to disclose information in relation to sexual offences to meet its obligations under the Crimes (Administration of Sentences) Act 1999. If other exceptions do not apply in the circumstances, such as there being a serious and imminent threat to the life or health of an individual or the Department having the consent of the individual, the Department submitted that it can experience delays or difficulties in meeting its obligations.⁸⁶

Investigative agencies

5.55 Issue 45 asked whether s 24 of PPIPA should be amended to exempt an agency from compliance with IPPs 10 and 11⁸⁷ when the agency is disclosing personal information to an investigative agency for the purpose of that investigative agency carrying out its complaints-handling or investigative functions.

5.56 Section 24 applies exemptions to an agency that is itself investigating a complaint. It does not apply to an agency disclosing personal information to an investigative agency. This creates problems where the investigative agency does not have coercive powers, or in situations where coercive powers are not available, and the investigative agency needs information held by the non-investigative agency to carry out its functions.

5.57 In their submissions to CP 3, the Australian Privacy Foundation and the Cyberspace Law and Policy Centre did not think s 24 should be amended.⁸⁸ The Australian Privacy Foundation submitted that there was “no justification for the wholesale exemption either of investigative agencies themselves or of ‘disclosures to investigative agencies’ from all the provisions” covered by s 24.⁸⁹ In its view, limited exemptions may be appropriate but should be narrow and contained within the applicable principle.⁹⁰ The Inner City Legal Centre, on the other hand, thought s 24 should be amended.⁹¹

THE COMMISSION’S CONCLUSIONS

One principle

5.58 In CP 3, the Commission noted that the division between “use” and “disclosure” is largely a peculiarity of Australasian privacy legislation and that, in other jurisdictions, use and disclosure are dealt with together, often under a generic expression like “processing”.⁹² The original OECD Guidelines covered both concepts within the one “Use Limitation” principle, which applied to information “disclosed, made available or otherwise used”. Separating the concepts has its historical roots in the original privacy principles in the Privacy Act, which have since been amended. The distinction was removed in the NPPs, inserted into the Act in 2000.⁹³

5.59 Leaving the principles separate and relying on rules of statutory interpretation construing “use” and “disclosure” as having the same meaning is not an option. This construction has been rejected by the Administrative Decisions Tribunal. In NZ v Director General, New South Wales Department of Housing, the Tribunal held that “use” refers to “the handling of personal information within the collecting agency” and “disclosure” to “the giving of the information by the collecting agency to a person or body outside the agency”.⁹⁴ Similarly, in JD v Department of Health, the Appeal Panel held that “‘use’ normally bears the connotation of employing information for a purpose” and, if an agency “merely retrieves information in its possession and discloses that to an external person or body, there is no ‘use’ involved”.⁹⁵

5.60 On the other hand, the distinction between “use” and “disclosure” is not as clear-cut as the Administrative Decisions Tribunal has assumed.⁹⁶ For example, in Director General, Department of Education and Training v MT, the Tribunal held that s 16 of PPIPA “applies a data quality standard to all uses of personal information by an agency including conduct involving disclosure of personal information by the agency”.⁹⁷ This gives weight to Privacy NSW’s argument that having different IPPs apply to use and disclosure gives rise to technical arguments as to when processing of information involves use or disclosure.⁹⁸

5.61 The way in which PPIPA applies different standards of privacy depending on whether there is use or disclosure of the information is objectionable in itself. For example, IPP 12 gives sensitive information a higher degree of protection with respect to disclosure than it receives with respect to use; an agency is required to check the accuracy of personal information before it uses it but not before it discloses it.⁹⁹

5.62 The Commission agrees with the ALRC, and with submissions both to the ALRC’s Report 108 and the Commission’s CP 3, that having a single principle applying to use and disclosure would remove inconsistencies, confusion and technical legal argument about which category an activity falls within. By making the legislation less complex, it is more accessible and likely to foster greater compliance.

5.63 The Commission supports UPP 5, subject to our comments below on the content of the principle.

Form of the principle

Use or disclosure for a secondary purpose

5.64 The Commission supports a privacy principle that, broadly speaking, allows information to be used or disclosed for a purpose related to the primary purpose of collection. We note that the majority of submissions to the ALRC’s DP 72 were in favour of this. In our view, it is reasonable to provide agencies with this flexibility to carry out their functions, providing the exemption is counter-balanced by proper privacy protection.

5.65 In the Commission’s view, the proposed UPP 5.1(a) provides a better level of privacy protection than either Principles 10 or 11, or IPP 11. Principle 10 merely states that the purpose for which the information is used must be directly related to the purpose for which the information was obtained. Principle 11 allows disclosure by an agency for any unrelated purpose if the individual is informed, which, in the Commission’s view, is risky and difficult to justify. IPP 11 treats the exemption of UPP 5.1(a) in two parts: IPP 11.1(a) allows disclosure where it is directly related to the primary purpose and the agency has no reason to think the individual will object, with no mention of the individual’s awareness or expectation; and IPP 11.1(b) allows disclosure, whether for a related or unrelated purpose, if there is the requisite awareness. Even if the individual objects to the disclosure, it is allowed under IPP 11.1(b). Furthermore, there is no condition that the individual must be aware at the time of collection of his or her personal information. Neither provision is entirely satisfactory.

5.66 Paragraph 5.41 raises the question whether the privacy protection offered by UPP 5.1(a) could be improved. The Commission noted that three submissions responding to CP 3’s Issue 40, which asked whether the condition “and the agency has no reason to believe the individual would object” should be added to IPP 11, favoured the amendment and one did not. However, the Commission also noted that IPP 11 is couched in terms of an individual’s “awareness” rather than “reasonable expectation”.

5.67 Nevertheless, the Commission is of the view that it is warranted to strengthen the privacy protection of UPP 5.1(a) by adding “and the agency has no reason to believe that the individual would object”, given that:

• most individuals would feel uneasy about their personal information being used or disclosed for a reason other than the one for which it was collected; and
• the condition does not place any onerous burden on the agency; an agency is not required to satisfy itself that the individual does not object; it is only required to refrain from using or disclosing information if it has reason to believe the individual would object, that is, some evidence of objection has come to its attention or is in its possession.

RECOMMENDATION 5

UPP 5.1(a) should be modified in the following way:

5.1 An agency must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection (the secondary purpose) unless:

(a) both of the following apply:

(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and

(ii) the individual would reasonably expect the agency to use or disclose the information for the secondary purpose and the agency has no reason to believe that the individual would object.

5.69 Paragraphs 5.27-5.30 canvass the arguments for and against allowing information to be used or disclosed for a secondary purpose where there is merely a “serious” threat, as opposed to a “serious and imminent” threat, to life, health or safety. The Commission has reached a similar conclusion as it did in relation to the collection of sensitive information in emergency situations.¹⁰⁰ That is, the Commission agrees with the ALRC that it is enough for a threat to be serious to justify using or disclosing information for a secondary purpose. First, assessing the seriousness of a risk will almost certainly involve an assessment of the likelihood, and likely timing, of its eventuating. Secondly, a threat may not necessarily be imminent but may still be of a level of seriousness that calls for use or disclosure for a secondary purpose, such as an illness or infection that may be slow in developing or have a lengthy incubation period. In any case, the concept of “imminent” is imprecise. Does it refer to an event that may occur in 24 hours? In a week? Within a month? Admittedly, a similar argument can be levelled at the concept “serious”, but the difficulty with employing the exemption is compounded by its use of the two tests. The Commission agrees with the ALRC that the requirement that a threat be both serious and imminent “sets a disproportionately high bar”.

Unlawful activity

5.70 The Commission agrees that it is appropriate to allow both agencies and organisations to disclose information for a secondary purpose in order to investigate unlawful activity. However, we are not entirely persuaded by the ALRC’s reasons for not including in UPP 5.1(d) an exemption to investigate “serious misconduct”. Serious misconduct may not necessarily be unlawful but may warrant discipline or dismissal of an employee and may be handled within the organisation or agency. A law enforcement body may not be involved, in which case the investigation is not “by or on behalf of a law enforcement body” and does not fall within the exception of UPP 5.1(f). An agency or organisation may need to divulge certain personal information in order to obtain further information to assist it in its investigation into the misconduct. In the Commission’s view, it does not seem justified to hinder the agency or organisation in this process. We recommend including a specific reference to “serious misconduct” within UPP 5.1(d). This widening of UPP 5.1(d) is balanced by our recommendation that the sub-section be narrowed in other respects, as reasoned in the following paragraphs 5.71-5.72.

5.71 The Commission observed in paragraph 5.31 above that Parliament obviously took the view that in introducing NPP 2.1(f), on which UPP 5.1(d) is based, it was sufficient to explain that the sub-section “explicitly acknowledges an organisation’s legitimate role in investigating unlawful activity relating to its operations”¹⁰¹ without actually legislating this. We also noted that the federal Privacy Commissioner has clarified that “ordinarily but not in all cases, the suspected unlawful activity would relate to the organisation’s operations”.¹⁰²

5.72 In the Commission’s view, it is an important check on the inroads into an individual’s privacy permitted by UPP 5.1(d) that it be limited to investigations into an agency’s or organisation’s own activities. Perhaps if it merely allowed an agency or organisation to report its concerns to relevant persons or authorities, this would be more palatable. But for any agency or organisation, not being an investigative agency or organisation, to use the exemption in UPP 5.1(d) to investigate any suspected unlawful activity is in our view too wide and should be explicitly controlled in the legislation, not left to guidelines or parliamentary explanations.

5.73 The Commission is of the view that it is not necessary to include within UPP 5.1(d) a non-exhaustive list of persons and authorities that may be considered “relevant” for two reasons. First, this introduces a level of detail not appropriate in what are intended to be high-level principles. Secondly, that the person or authority must be relevant, and that the use or disclosure must be necessary, provide sufficient parameters.

RECOMMENDATION 6

UPP 5.1(d) should be modified in the following way:

the agency or organisation has reason to suspect that unlawful activity or serious misconduct relating to its operations has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities.

5.74 The Commission agrees with the ALRC’s formulation of UPP 5.1(f). We also agree that the exception should apply to investigations initiated in the public interest by or on behalf of an enforcement body, not just existing investigations. However, in our view, this is already implicitly allowed in the wording of UPP 5.1(f) and does not need to be enunciated.

5.75 Paragraph 5.55 canvasses the issue raised in CP 3 as to whether disclosure of information to an investigative agency should be allowed. UPP 5.1(f) allows an agency to use or disclose information if it believes this is reasonably necessary for one or more of a number of functions to be carried out by, or on behalf of, an enforcement body, including: law enforcement; protection of public revenue; processes relating to seriously improper conduct; and litigation before any court or tribunal. An enforcement body is defined in s 6 of the Privacy Act as one of 16 bodies, State or Territory authorities, or other agencies that are predominantly law enforcement or investigative bodies, but also include the Australian Crime Commission, the Australian Customs Service, and the Australian Prudential Regulation Authority.

5.76 UPP 5.1(f) appears to address the problem raised in relation to s 24 without creating “wholesale exemption” from a number of principles. For the purposes of NSW privacy legislation, “enforcement body” would, of course, need to be defined to include relevant State investigative bodies.

Relevant purpose

5.77 Paragraph 5.43 pointed to an issue raised in CP 3 not raised by the ALRC but nonetheless relevant to UPP 5. This relates to the legislative assumption contained in UPP 5 that the “primary purpose of collection” is clear and understood. In fact, where there have been multiple acts of collection, there is an ambiguity as to which is the “primary purpose of collection”. Is the “primary purpose” the purpose for which the individual gave his or her personal information or the purpose for which the agency collected it?

5.78 The unanimous view of submissions to CP 3 was that the “primary purpose of collection” is the purpose for which the agency collected the information, whether from the individual or a third party. The Commission accepts the views of the Law Society of NSW and the Cyberspace Law and Policy Centre that this should be clarified in the legislation.

RECOMMENDATION 7

“Primary purpose” in UPP 5 should be defined to mean the purpose for which the agency or organisation collected the personal information.

5.79 The Commission prefers the approach of the Privacy Act over PPIPA to sensitive information. The Commonwealth Act uses the actual term “sensitive information” and then defines this in s 6, whereas the State Act refers to “personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities” without defining this as sensitive information or using that term. With one modification, the Commission supports the Commonwealth definition of “sensitive information”, which is:

(a) information or an opinion about an individual’s:
(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii) sexual preferences or practices; or

(ix) criminal record;

that is also personal information; or
(b) health information about an individual; or

(c) genetic information about an individual that is not otherwise health information.

5.81 The Commission is not persuaded that including criminal history in the category of information that is defined as sensitive would necessitate an exemption for law enforcement agencies, or the NSW Department of Corrective Services in particular. If the Department needs to use or disclose a person’s criminal history in its role of reintegrating an offender into community life, it can do so if this is directly related to the primary purpose of collection of the information, or if the individual consents, or if it can rely on any of the other exemptions. It is difficult to see how its role and discharge of its duties would be impeded by this standard of privacy. By contrast, an individual could easily suffer prejudice and disadvantage by unchecked disclosure of his or her criminal history.

5.82 We have considered the submission of the Intellectual Disability Rights Service regarding special treatment of information about the criminal history and record of a person with intellectual disability. However, we have concluded that this level of specificity is not appropriate for high-level uniform principles and would be more properly dealt with by Privacy Guidelines.

RECOMMENDATION 8

“Sensitive information” should be defined to mean:

(a) information or an opinion about an individual’s:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association, or a trade union; or

(vii) sexual preferences or practices; or

(viii) criminal history, including criminal record;

that is also personal information; or

(b) health information about an individual; or

(c) genetic information about an individual that is not otherwise health information.

1. Privacy and Personal Information Protection Act 1998 (NSW) s 16, IPP 9.

2. Privacy and Personal Information Protection Act 1998 (NSW) s 17, IPP 10

3. Privacy and Personal Information Protection Act 1998 (NSW) s 18(1)(a), IPP 11(1)(a).

4. Privacy and Personal Information Protection Act 1998 (NSW) s 18(1)(b), IPP 11(1)(b).

5. Privacy and Personal Information Protection Act 1998 (NSW) s 18(1)(c), IPP 11(1)(c).

6. Privacy and Personal Information Protection Act 1998 (NSW) s 19(1), IPP 12. Note that disclosure is allowed only “to prevent” a threat, not “to prevent or lessen” a threat as provided for in IPP 11.

7. Privacy and Personal Information Protection Act 1998 (NSW) s 19(2), IPP 12. However s 19(5) may limit the operation of this, see para 11.22-11.23

8. See para 5.3.

9. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) Recommendation 25.

10. Privacy Act 1988 (Cth) sch 3, cl 2, NPP 2.

11. Privacy Act 1988 (Cth) s 14, Principle 10, which places limits on the use of personal information and Principle 11, which places limits on the disclosure of personal information.

12. The ALRC has recommended regulating direct marketing in a discrete privacy principle separate from the Use and Disclosure principle: ALRC Report 108, Recommendation 26-1, UPP 6. See the discussion of UPP 6 in this report.

13. The ALRC has recommended that the exception for genetic information should be moved out of the Use and Disclosure principle and be dealt with in the Privacy (Health Information) Regulations: ALRC Report 108 vol 2 [25.125].

14. ALRC Report 108 vol 2 [25.16]. These were submissions to Australian Law Reform Commission, Review of Privacy Issues Paper 31 (2006), Questions 4-6; and Australian Law Reform Commission, Review of Australian Privacy Law Discussion Paper 72 (2007) Proposal 22-1.

15. See ALRC Report 108 vol 2 [25.17]-[25.18].

16. Office of the Federal Privacy Commissioner, Submission PR 215, 28 February 2007, quoted in ALRC Report 108 vol 2 [25.16].

17. ALRC Report 108 vol 2 [25.20].

18. ALRC Report 108 vol 2 [25.26]-[25.27].

19. ALRC Report 108 vol 2 [25.25].

20. ALRC Report 108 vol 2 [25.41].

21. This was seen as beneficial for such purposes as public health research; see CSIRO, Submission PR 176, 6 February 2007 and Veda Advantage, Submission PR 163, 31 January 2007, quoted in ALRC Report 108 vol 2 [25.37].

22. ALRC Report 108 vol 2 [25.42].

23. ALRC Report 108 vol 2 [25.42].

24. ALRC Report 108 vol 2 [25.42].

25. Public Interest Advocacy Centre, Submission PR 548, 26 December 2007, quoted in ALRC Report 108 vol 2 [25.46].

26. Australian Taxation Office, Submission PR 515, 21 December 2007, quoted in ALRC Report 108 vol 2 [25.46].

27. ALRC Report 108 vol 2 [25.49].

28. ALRC Report 108 vol 2 [25.50].

29. ALRC Report 108 vol 2 [25.50].

30. ALRC Report 108 vol 2 [25.52].

31. ALRC Report 108 vol 2 [25.52].

32. ALRC Report 108 vol 2 [25.66]. See discussion of this issue in relation to UPP 2, para 2.103-2.107 and in relation to UPP 9, para 9.38-9.40.

33. ALRC Report 108 vol 2 [25.66].

34. ALRC Report 108 vol 2 [25.67].

35. ALRC Report 108 vol 2 [25.73].

36. ALRC Report 108 vol 2 [25.77].

37. ALRC Report 108 vol 2 [25.77].

38. Cyberspace Law and Policy Centre, Submission PR 487, 19 December 2007.

39. ALRC Report 108 vol 2 [25.83].

40. ALRC Report 108 vol 2 [25.84].

41. ALRC Report 108 vol 2 [25.86].

42. ALRC Report 108 vol 2 [25.87].

43. Privacy Amendment (Private Sector) Act 2000 (Cth).

44. Privacy Act 1988 (Cth) sch 3, NPP 2.1(f).

45. Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [357].

46. Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 41.

47. ALRC Report 108 vol 2 [25.94].

48. ALRC Report 108 vol 2 [25.95].

49. Office of the Federal Privacy Commissioner, Submission PR499, 20 December 2007, cited in ALRC Report 108 vol 2 [25.96].

50. ALRC Report 108 vol 2 [25.98].

51. See ALRC Report 108 vol 2 [25.98]; the source of this guidance was not cited.

52. ALRC Report 108 vol 2 [25.117].

53. ALRC Report 108 vol 2 [25.117].

54. ALRC Report 108 vol 2 [44.23].

55. ALRC Report 108 vol 2 [25.139]-[25.140].

56. ALRC Report 108 vol 2 [25.141].

57. New South Wales Law Reform Commission, Privacy Legislation in New South Wales Consultation Paper 3 (2008) (“NSWLRC CP 3”).

58. NSWLRC CP 3, Issue 36.

59. Australian Privacy Foundation, Submission; Cyberspace Law and Policy Centre, Submission; Inner City Legal Centre, Submission; Law Society of NSW, Submission; Office of the Privacy Commissioner, Submission.

60. Cyberspace Law and Policy Centre, Submission, 23.

61. Privacy NSW, Submission, 13.

62. Specifically, s 18(1)(b) of the Privacy and Personal Information Protection Act 1998 (NSW).

63. NSWLRC CP 3 Issue 40.

64. Australian Privacy Foundation, Submission; Cyberspace Law and Policy Centre, Submission, 25.

65. NSW Department of Corrective Services, Submission.

66. IPPs 10 and 11 and HPPs 10 and 11 refer to the purpose “for which it was collected”.

67. Cyberspace Law and Policy Centre, Submission, 24; Law Society of NSW, Submission, 10; Inner City Legal Centre, Submission, 37.

68. Cyberspace Law and Policy Centre, Submission, 24.

69. Australian Privacy Foundation, Submission; Cyberspace Law and Policy Centre, Submission, 24; HIV/AIDS Legal Centre, Submission, 11; Inner City Legal Centre, Submission, 37; Law Society of NSW, Submission, 11; Office of the Privacy Commissioner, Submission, 14.

70. Law Society of NSW, Submission, 11.

71. ALRC Report 108 vol 1 Recommendation 21-3, UPP 2.4.

72. NSWLRC CP 3 Issue 39.

73. All responses to CP 3 supported this position: Australian Privacy Foundation, Submission; Cyberspace Law and Policy Centre, Submission, 24; Law Society of NSW, Submission, 11; Office of the Privacy Commissioner, Submission, 14.

74. NSWLRC CP 3 Issues 41 and 42.

75. NSWLRC CP 3 Issue 41.

76. NSWLRC CP 3 Issue 42.

77. Privacy Act 1988 (Cth) S 6(1).

78. Australian Privacy Foundation, Submission; Cyberspace Law and Policy Centre, Submission, 24; HIV/AIDS Legal Centre, Submission, 11; Inner City Legal Centre, Submission, 37; Law Society of NSW, Submission, 11; Privacy NSW, Submission, 14.

79. Australian Privacy Foundation, Submission; Cyberspace Law and Policy Centre, Submission, 25.

80. Privacy NSW, Submission, 14.

81. Intellectual Disability Rights Service, Submission, 6.

82. Intellectual Disability Rights Service, Submission, 6.

83. Intellectual Disability Rights Service, Submission, 6.

84. NSW Department of Corrective Services, Submission, 4.

85. Australian Privacy Foundation, Submission; Cyberspace Law and Policy Centre, Submission, 25; Inner City Legal Centre, Submission, 38; Law Society of NSW, Submission, 11; NSW Department of Corrective Services, Submission, 4.

86. NSW Department of Corrective Services, Submission, 4.

87. The issue was also raised in relation to IPPs 2 and 3, which relate to collection requirements, and are discussed in the chapter on UPP 2.

88. Australian Privacy Foundation, Submission; Cyberspace Law and Policy Centre, Submission, 27.

89. Namely, IPPs 2, 3, 10 and 11.

90. Australian Privacy Foundation, Submission, 11.

91. Inner City Legal Centre, Submission, 39.

92. Pointed out by Crown Solicitor ’s Office, NSW, Advice, 52.

93. See also the Information Privacy Act 2002 (Vic).

94. NZ v Director General, New South Wales Department of Housing [2005] NSWADT 58, [69].

95. JD v Department of Health [2005] NSWADTAP 44, [93], [42].

96. Crown Solicitor’s Office, NSW, Advice, [3.41].

97. Director General, Department of Education and Training v MT [2005] NSWADTAP 77, [39].

98. See Crown Solicitor’s Office, NSW, Advice, 53.

99. Privacy and Personal Information Protection Act 1998 (NSW) s 16.

100. See the discussion of UPP 2, para 2.103-2.107.

101. Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), [357].

102. Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 41.