Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Collection | Disclosure

Q v Law Firm [2010] PrivCmrA 20

document icon pdf (0)

Case Citation:

Q v Law Firm [2010] PrivCmrA 20

Subject Heading:

Improperly collecting and disclosing personal information

Law:

National Privacy Principles 1.1 and 2 in Schedule 3 of the Privacy Act 1988 (Cth).

The following case was decided by the Privacy Commissioner prior to 1 November 2010. On 1 November 2010 all the powers of the Privacy Commissioner under the Privacy Act were conferred on the Australian Information Commissioner.

Facts:

A law firm collected personal information from its client (a medical practitioner) about the alleged mental health of the complainant. The law firm then disclosed it to a state healthcare complaints body which was investigating a complaint against the law firm's client.

The complainant believed the collection and disclosure of their personal information was inappropriate.

Issues:

NPP 1.1 states that an organisation must not collect personal information unless the information is necessary for one or more its functions or activities.

NPP 2 provides that an organisation must not use or disclose personal information other than for the primary purpose of collection, unless an exception applies. One exception, NPP 2.1(g), allows an organisation to disclose personal information if the disclosure is required or authorised by or under law.

Outcome:

The Commissioner investigated the matter under section 40(1) of the Privacy Act.

In response to the Commissioner's investigation, the law firm stated that one of its functions was to provide legal advice. The collection of the information from the client was necessary to provide legal advice to that client. The Commissioner accepted this view.

In addition, the law firm advised that its disclosure of the personal information to the healthcare complaints body was authorised under law. It relied on Schedule 1, Clause 11(1)(k) of the Health Records and Information Privacy Act 2002 (NSW) which authorises a disclosure which is ‘reasonably necessary' to enable an investigative agency to exercise its complaint handling functions or investigative functions.

The Commissioner took the view that the healthcare complaints body was an investigative agency. In addition, the information provided to the healthcare complaints body was used to consider how it would investigate/resolve the matter and which documents it would provide to the complainant. Therefore, the Commissioner took the view that the disclosure was ‘reasonably necessary' under the Health Records and Information Privacy Act 2002 (NSW). As the disclosure was authorised under a state law, the disclosure was consistent with NPP 2.1(g) of the Privacy Act, which allows a disclosure that is authorised under other laws.

The Commissioner closed the investigation under section 41(1)(a) of the Privacy Act, on the grounds that the law firm had not interfered with the complainant's privacy.

Office of the Australian Information Commissioner
December 2010