Under privacy laws, certain organisations have obligations not to use or disclose personal information for a purpose other than the purpose for which it was collected, unless an exception applies. For example, where the individual concerned has consented to the use or disclosure of the information or the use or disclosure is required under an Australian law, or court or tribunal order.
For the purposes of these laws, personal information includes an individual's name, signature, address, email address, telephone number, date of birth, medical or other records and commentary or opinion about that person.
It is important to be mindful of privacy obligations when undertaking discovery, particularly of ESI. For example, copies of emails and their attachments may contain personal information in the form of the sender's and recipient's names and email addresses.
The use and disclosure of personal information is permitted where an organisation is 'required' under an Australian law or court or tribunal order to handle information in a particular way and 'cannot choose to act differently'. Accordingly, if a court has made an order for discovery that requires disclosure of documents, the disclosure of documents containing personal information in compliance with this order is permitted by the Privacy Act 1988 (Cth) (the Privacy Act).
However, careful attention should be given to the terms of the order. If an order is framed as requiring discovery of information about certain matters, documents that contain both relevant information and personal information might require a more cautious approach to determine if the personal information is truly covered by the order. If the order is expressed to cover documents, parties may still be able to mask irrelevant personal information contained in the relevant documents but, before doing so, they should consider the procedural rules in the relevant jurisdiction as, generally, parties do not have a right to redact documents purely for irrelevance. For example, in Gray v. Associated Book Publishers (Aust) Pty Ltd, the respondents had produced for inspection a number of documents that had been masked on the basis that the respondents owed an obligation of confidentiality to third parties. The Federal Court ordered that the respondents produce unmasked copies of the documents and suggested that the respondents should have first obtained the applicant's agreement to the masking of the portions of their discovered documents, or otherwise sought relief from the Court. Of relevance to the Court's decision was that the information about the third parties 'might throw light' on questions relevant to the applicant's claims. In coming to this conclusion, the court noted that:
A private right of confidentiality in documents may be taken into account in considering whether to order discovery and inspection, although it is right to say that the fact that documents have that character is not usually itself a sufficient reason to deny discovery . . . When a document is shown to be confidential the Courts must balance the effect of its disclosure and of it being withheld from a party to litigation.
Parties may also disclose information in the context of anticipated or actual proceedings without the existence of a court order. This may be acceptable under the Privacy Act if the disclosure is (1) reasonably necessary for establishing, exercising or defending a legal or equitable claim, or (2) reasonably necessary for confidential alternative dispute resolution processes.
The 'reasonably necessary' test is an objective test: whether a reasonable person who is properly informed would agree that the use or disclosure is reasonable in the circumstances. It is the responsibility of the entity disclosing the information to be able to justify that the particular use or disclosure is reasonably necessary. The collection, use or disclosure of personal information is unlikely to be considered necessary where it is merely helpful, desirable or convenient.
When disclosing in reliance on these exceptions without a court order, parties should consider whether documents (while relevant themselves) contain any irrelevant personal information (and whether that information must be redacted before being disclosed). It is important to consider whether the disclosure of all the personal information contained in any particular document is 'reasonably necessary' in the circumstances. Redactions may be necessary if that test cannot be satisfied.