OAIC’s controversial decision broadens scope for the disclosure of personal information
By Warwick Andersen, Rob Pulham and Georgia Mills
In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt. In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox. The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.
The OAIC found that the disclosure was permitted by Australian Privacy Principle (APP) 6.2(a)(ii). Pursuant to the APPs, an APP entity may only use or disclose personal information for the purpose for which it was collected (the primary purpose) or, where an exception applies, a secondary purpose. APP 6.2(a)(ii) permits disclosure where the individual would reasonably expect the entity to disclose their information and the disclosure is related to the primary purpose.
Relevantly, APP Guideline 6.22 provides examples of when the OAIC considers that an individual may reasonably expect disclosure of their personal information, and includes circumstances in which the individual has made negative comments about an APP entity to the media about the way the entity has treated them. Here, the OAIC explains in the APP Guidelines that it may be reasonable to expect that the entity would wish to respond to the criticism in a similarly public manner, including by revealing personal information specifically relevant to the issues the individual has raised. The decision reinforces the broad range of circumstances in which governmental agencies and private companies may legally release personal information about individuals to the public – though presumably, if an APP entity’s privacy policy or other disclosures were inconsistent with that expectation (for example, if the entity states that it does not share information in that way), it would not have been considered to be “reasonably expected” by the individual.
It’s worth noting that in this case the OAIC stated that it carefully considered the specific public statements made by the individual, and the specific information disclosed in response, to determine if the disclosure was consistent with those expectations, so any APP entity wishing to rely on this exception will need to ensure it has carefully considered and can justify its decisions and the specific range of information to disclose. However, while the decision is viewed in this way as consistent with existing privacy laws, some Australian civil and digital rights advocates are arguing that it may not be consistent with community expectations about privacy protection. In light of the backlash, organisations should be aware of the potential commercial and reputational ramifications of disclosure, even when that disclosure would otherwise seem to be permitted by privacy laws.