Chapter 3: Information sharing

Legislative framework

3.1 The Commissioner is authorised to share information under various pieces of legislation, including the Privacy Act and Australian Information Commissioner Act. This Chapter focuses on two specific powers under the Privacy Act: the power to share information with other authorities in s 33A and the power to disclose certain information in the public interest under s 33B.

3.2 Section 33A gives the Commissioner power to share information (including personal information) or documents with enforcement bodies, alternative complaint bodies and other government authorities with privacy functions (including authorities in foreign jurisdictions).

3.3 Section 33B enables the Commissioner to disclose information acquired in the course of exercising powers or performing functions or duties under the Privacy Act, if the Commissioner is satisfied that it is in the public interest to do so.

Principles of law

3.4 The OAIC is subject to principles of law[1] that limit the extent to which government agencies can disclose information received in the course of exercising powers or performing functions or duties. A summary of the key principle[2] is that a statute which confers a power to obtain information for a purpose defines, expressly or impliedly, the purpose for which the information when obtained can be used or disclosed.

3.5 The OAIC is subject to those principles.  However, these principles and limitations can be overridden by an express statutory power which enables the disclosure of information and documents in certain limited circumstances.

3.6 Sections 33A and 33B of the Privacy Act are express statutory powers which create a limited exception to the principles of law. The scope of the exception and the powers are described below.

3.7 Before exercising its information sharing powers under sections 33A or 33B, the OAIC will take steps to ensure that the entities from whom the information or documents were obtained are afforded natural justice. If it is possible and appropriate in the circumstances, the OAIC will aim to provide the entities with notice that the OAIC intended to share the information or documents, together with information about the circumstances of the intended sharing, and give the entities a reasonable opportunity to object to the intended sharing. However, the OAIC will generally not provide an individual or entity with an assurance that the OAIC will not publicise its regulatory action or that it will give advance warning.

3.8 Prior to sharing information or documents under either section 33A or 33B, the Commissioner would have regard to:

• the extent to which the information and documents are relevant, necessary and useful to the receiving body
• the extent to which the information and documents are already in the public domain or are likely to become so
• whether the sharing would pose a serious threat to the life, health or safety of any individual, or to public health or public safety
• the impact of the sharing on the rights or interests of any entity, including the privacy of individuals
• whether the sharing is likely to prejudice any enforcement related activities or investigations by an enforcement body, the OAIC or another agency
• whether the sharing will, or is likely to, disclose any confidential commercial information
• the harms or benefits likely to result from the sharing
• any other matters the Commissioner considers relevant.

Information sharing with other authorities

3.9 Section 33A facilitates better cooperation between the Commissioner, enforcement bodies and regulatory authorities and entities, for example, privacy regulators in foreign jurisdictions, in order to investigate and take appropriate action in respect of privacy breaches, threats and risks.

3.10 The Commissioner may share information with both domestic and international bodies:

• Domestic bodies comprise Australian enforcement bodies,[3] alternative complaint bodies[4] and State or Territory authorities that function to protect the privacy of individuals (such as the privacy commissioner of a State or Territory), and
• International bodies comprise an authority of the government of a foreign country that function to protect the privacy of individuals (such as the foreign equivalents of the OAIC).

3.11 The Commissioner’s information sharing power is subject to the following limitations in s 33A which ensure that the exercise of the power will be reasonable, necessary and proportionate:

• the Commissioner can only share information for the purposes of the Commissioner’s, or the receiving body’s, exercise of powers or performance of functions and duties
• the information or documents must have been acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act
• the Commissioner must also be satisfied on reasonable grounds that the receiving body has satisfactory arrangements for protecting the information or documents
• where the Commissioner has obtained information or documents from an Australian Government agency, the Commissioner may only share the information or documents with an Australian Government agency
• if the information is shared with a receiving body under section 33A, the receiving body may only use the information for the purposes for which it was shared.

3.12 Where it is deemed necessary to share information with foreign regulators, the information exchange will ordinarily occur under information sharing frameworks which protect the confidentiality of such information, for example the Global Cross Border Enforcement Cooperation Arrangement, the APEC Cooperation Arrangement for Cross-Border Privacy Enforcement or a memorandum of understanding. More information about the international and domestic regulators we work with and the arrangements that underpin those relationships is available on the OAIC’s website.[5]

Disclosing information in the public interest

3.13 Section 33B permits the Commissioner to disclose certain information (including personal information) acquired in the course of exercising powers or performing functions or duties under the Privacy Act, provided the Commissioner is satisfied the disclosure is in the public interest.  Section 33B permits disclosure of information to the public. This is contrasted with disclosures under s 33A which may be made only to a limited range of receiving bodies in limited circumstances.

3.14 Section 33B empowers the Commissioner to disclose or publish information relating to privacy and personal information, for example, information about an ongoing investigation on the OAIC’s website. This ensures the public are informed about privacy issues and to provide assurance to the community that the OAIC is discharging its duties.

3.15 The disclosure power is subject to the Commissioner being satisfied on reasonable grounds that the disclosure is in the public interest, which ensures that it is reasonable, necessary and proportionate. To determine whether the disclosure is in the public interest, the Commissioner must consider:

• the rights, freedoms and legitimate interests of any person including a complainant or respondent
• whether the disclosure could prejudice an investigation by the Commissioner which is underway
• whether the disclosure will or is likely to disclose the personal information of any person
• whether the disclosure will or is likely to disclose confidential commercial information
• whether the disclosure would be likely to prejudice enforcement-related activities conducted by or on behalf of an enforcement body.

3.16 The Commissioner may also have regard to any other matter the Commissioner considers relevant when determining if a disclosure is in the public interest. For example, the Commissioner may have regard to any consultation with affected entities, and any actions affected entities have taken (such as where the entity has already notified individuals about particular conduct or privacy issues).