August 3, 2020

Volume X, Number 216

August 03, 2020

Subscribe to Latest Legal News and Analysis

OAIC's Controversial Decision Broadens Scope for the Disclosure of Personal Information

In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt.  In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox.  The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.

The OAIC found that the disclosure was permitted by Australian Privacy Principle (APP) 6.2(a)(ii).  Pursuant to the APPs, an APP entity may only use or disclose personal information for the purpose for which it was collected (the primary purpose) or, where an exception applies, a secondary purpose.  APP 6.2(a)(ii) permits disclosure where the individual would reasonably expect the entity to disclose their information and the disclosure is related to the primary purpose.

Relevantly, APP Guideline 6.22 provides examples of when the OAIC considers that an individual may reasonably expect disclosure of their personal information, and includes circumstances in which the individual has made negative comments about an APP entity to the media about the way the entity has treated them.  Here, the OAIC explains in the APP Guidelines that it may be reasonable to expect that the entity would wish to respond to the criticism in a similarly public manner, including by revealing personal information specifically relevant to the issues the individual has raised.  The decision reinforces the broad range of circumstances in which governmental agencies and private companies may legally release personal information about individuals to the public – though presumably, if an APP entity’s privacy policy or other disclosures were inconsistent with that expectation (for example, if the entity states that it does not share information in that way), it would not have been considered to be “reasonably expected” by the individual.

It’s worth noting that in this case the OAIC stated that it carefully considered the specific public statements made by the individual, and the specific information disclosed in response, to determine if the disclosure was consistent with those expectations, so any APP entity wishing to rely on this exception will need to ensure it has carefully considered and can justify its decisions and the specific range of information to disclose.  However, while the decision is viewed in this way as consistent with existing privacy laws, some Australian civil and digital rights advocates are arguing that it may not be consistent with community expectations about privacy protection.  In light of the backlash, organisations should be aware of the potential commercial and reputational ramifications of disclosure, even when that disclosure would otherwise seem to be permitted by privacy laws.

Copyright 2020 K & L GatesNational Law Review, Volume VIII, Number 192


About this Author

Warwick Andersen Technology Lawyer KL Gates

Mr. Andersen is a senior corporate lawyer with a focus on commercial, technology and sourcing projects. He has advised on large scale outsourcing projects, technology agreements for both vendors and customers, corporate support, privacy and telecommunications regulatory work. He has acted for government departments, large listed companies, telecommunications companies and technology suppliers.

Rob Pulham Corporate Attorney K&L Gates
Special Counsel

Rob Pulham is an experienced corporate advisory and transactional lawyer with an active technology and privacy practice representing companies in the energy, manufacturing, mining, retail, health and financial services sectors, as well as government and not for profit organisations. He has extensive experience advising customers and vendors in the technology industry, with particular focus on software licensing, data privacy and protection, and systems integration projects. In his role as a senior corporate lawyer, Mr. Pulham reviews organisational policies and practices regarding data privacy to identify key risks, develops and implements strategies to mitigate privacy and cybersecurity risks, and advises clients in the investigation of, and response to, data breaches.

Mr. Pulham also serves as a strategic advisor to his clients, regularly advising on large outsourcing and technology procurement matters including negotiating software licensing terms with ERP and CRM vendors such as Oracle, SAP and Salesforce, and on major systems integration transactions. He advises his clients on all facets of their technology practices, procurement and needs, including key technology procurement requirements and licensing issues (acting for both customer and service provider clients), marketing and advertising in compliance with Australian competition and consumer laws, website content and terms of use, and general commercial intellectual property and software licensing matters.