The OAIC controversially confirms Australian entities can publicly release individuals' personal information in broader circumstances than you might expect.
On 29 May 2018, the Office of the Australian Information Commissioner (OAIC) released a controversial decision confirming that Centrelink's actions in releasing personal information about a Centrelink user and her claim history to a journalist were permitted under the Commonwealth Privacy Act.
The decision has reinforced the broad scope of circumstances in which government agencies and private companies may legally release personal information about individuals to the public. In particular, adverse claims made publicly about an organisation may allow them to disclose an individual's personal information in order to 'correct the record'. The OAIC found that this kind of disclosure would be reasonably expected by individuals.
The decision has created significant backlash, with many privacy advocates calling for a reform of Australian privacy legislation to protect individuals' information from disclosure. Understandably, many people would not expect government agencies or companies to be allowed to publicly disclose personal information in an attempt to discredit them. While the decision is consistent with existing privacy laws, it may not be consistent with community expectations about privacy protection.
Disclosure of personal information by Centrelink
In 2017 Andie Fox, a recipient of Centrelink benefits, wrote an opinion piece which was highly critical of the agency's debt recovery system. In the piece Ms Fox alleged that she was pursued by Centrelink for recovery of a debt she did not owe. In response to the article, Centrelink provided personal information about Ms Fox to a journalist, who wrote an article claiming that Centrelink had been 'unfairly castigated' by Ms Fox. The disclosed information included details of Ms Fox's previous communications with Centrelink, as well as her Centrelink claims and debt history.
Human Services Minister Alan Tudge justified the disclosure, stating in Parliament that 'information was provided to correct the record in relation to those allegations'. In response to a complaint, the OAIC commenced an inquiry into the Department of Human Services' actions.
Investigation by OAIC
The OAIC found that the disclosure was permitted by Australian Privacy Principle 6.2(a)(ii).
According to the Australian Privacy Principles (APPs), an APP entity may only use or disclose personal information for a purpose for which it was collected (the primary purpose) or, where an exception applies, a secondary purpose.
The exception set out in APP 6.2(a)(ii) provides that if an APP entity holds personal information for a primary purpose, it may use or disclose it for a secondary purpose if the individual concerned would reasonably expect it do so, and it is related to the primary purpose.
To satisfy the exception, the disclosure must be one which the individual would 'reasonably expect'. This objective test takes into account the circumstances of the case and assumes that the individual is well informed. The APP Guidelines 2014 suggest that entities should consider the extent of this expectation. For instance, an individual may reasonably expect that some, but not all, of their personal information may be disclosed to fulfil a secondary purpose. In this situation, the APP entity would only be permitted to disclose that portion of personal information which satisfies the 'reasonable expectation' criterion.
Relevantly, the APP Guidelines say that an individual may reasonably expect disclosure of their personal information where they have made negative comments about an APP entity in the media. Here, an individual may reasonably expect that the entity would wish to respond to this criticism in a similarly public manner. In its concluding statement, the OAIC relied on the case of L v Commonwealth Agency  PrivCmrA 14, in which an individual made adverse comments in the media about an Australian government agency. After being contacted by the media in relation to these comments, the agency disclosed the individual's personal information to a journalist, who published the information in an article. In that case, the Privacy Commissioner (now the Australian Information Commissioner) found that the complainant would have reasonably expected that this information would be disclosed in the circumstances.
Where to now?
Organisations should be aware that the public may expect them to maintain the confidentiality of personal information even in circumstances where disclosure would be permitted by privacy laws. As public awareness of privacy and data protection issues grows, time will tell if Australia's privacy laws, and the OAIC's interpretation of them, will shift to place an even greater focus on protecting the privacy of individuals.