- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Q v Law Firm  PrivCmrA 20
Q v Law Firm  PrivCmrA 20
Improperly collecting and disclosing personal information
National Privacy Principles 1.1 and 2 in Schedule 3 of the Privacy Act 1988 (Cth).
The following case was decided by the Privacy Commissioner prior to 1 November 2010. On 1 November 2010 all the powers of the Privacy Commissioner under the Privacy Act were conferred on the Australian Information Commissioner.
A law firm collected personal information from its client (a medical practitioner) about the alleged mental health of the complainant. The law firm then disclosed it to a state healthcare complaints body which was investigating a complaint against the law firm's client.
The complainant believed the collection and disclosure of their personal information was inappropriate.
NPP 1.1 states that an organisation must not collect personal information unless the information is necessary for one or more its functions or activities.
NPP 2 provides that an organisation must not use or disclose personal information other than for the primary purpose of collection, unless an exception applies. One exception, NPP 2.1(g), allows an organisation to disclose personal information if the disclosure is required or authorised by or under law.
The Commissioner investigated the matter under section 40(1) of the Privacy Act.
In response to the Commissioner's investigation, the law firm stated that one of its functions was to provide legal advice. The collection of the information from the client was necessary to provide legal advice to that client. The Commissioner accepted this view.
In addition, the law firm advised that its disclosure of the personal information to the healthcare complaints body was authorised under law. It relied on Schedule 1, Clause 11(1)(k) of the Health Records and Information Privacy Act 2002 (NSW) which authorises a disclosure which is ‘reasonably necessary' to enable an investigative agency to exercise its complaint handling functions or investigative functions.
The Commissioner took the view that the healthcare complaints body was an investigative agency. In addition, the information provided to the healthcare complaints body was used to consider how it would investigate/resolve the matter and which documents it would provide to the complainant. Therefore, the Commissioner took the view that the disclosure was ‘reasonably necessary' under the Health Records and Information Privacy Act 2002 (NSW). As the disclosure was authorised under a state law, the disclosure was consistent with NPP 2.1(g) of the Privacy Act, which allows a disclosure that is authorised under other laws.
The Commissioner closed the investigation under section 41(1)(a) of the Privacy Act, on the grounds that the law firm had not interfered with the complainant's privacy.
Office of the Australian Information Commissioner