OAIC's Controversial Decision Broadens Scope for the Disclosure of Personal Information
In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt. In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox. The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.
The OAIC found that the disclosure was permitted by Australian Privacy Principle (APP) 6.2(a)(ii). Pursuant to the APPs, an APP entity may only use or disclose personal information for the purpose for which it was collected (the primary purpose) or, where an exception applies, a secondary purpose. APP 6.2(a)(ii) permits disclosure where the individual would reasonably expect the entity to disclose their information and the disclosure is related to the primary purpose.
It’s worth noting that in this case the OAIC stated that it carefully considered the specific public statements made by the individual, and the specific information disclosed in response, to determine if the disclosure was consistent with those expectations, so any APP entity wishing to rely on this exception will need to ensure it has carefully considered and can justify its decisions and the specific range of information to disclose. However, while the decision is viewed in this way as consistent with existing privacy laws, some Australian civil and digital rights advocates are arguing that it may not be consistent with community expectations about privacy protection. In light of the backlash, organisations should be aware of the potential commercial and reputational ramifications of disclosure, even when that disclosure would otherwise seem to be permitted by privacy laws.