Publication date: January 2023
3.1 The Commissioner is authorised to share information under various pieces of legislation, including the Privacy Act and Australian Information Commissioner Act. This Chapter focuses on two specific powers under the Privacy Act: the power to share information with other authorities in s 33A and the power to disclose certain information in the public interest under s 33B.
3.2 Section 33A gives the Commissioner power to share information (including personal information) or documents with enforcement bodies, alternative complaint bodies and other government authorities with privacy functions (including authorities in foreign jurisdictions).
3.3 Section 33B enables the Commissioner to disclose information acquired in the course of exercising powers or performing functions or duties under the Privacy Act, if the Commissioner is satisfied that it is in the public interest to do so.
Principles of law
3.4 The OAIC is subject to principles of law that limit the extent to which government agencies can disclose information received in the course of exercising powers or performing functions or duties. A summary of the key principle is that a statute which confers a power to obtain information for a purpose defines, expressly or impliedly, the purpose for which the information when obtained can be used or disclosed.
3.5 The OAIC is subject to those principles. However, these principles and limitations can be overridden by an express statutory power which enables the disclosure of information and documents in certain limited circumstances.
3.6 Sections 33A and 33B of the Privacy Act are express statutory powers which create a limited exception to the principles of law. The scope of the exception and the powers are described below.
3.7 Before exercising its information sharing powers under sections 33A or 33B, the OAIC will take steps to ensure that the entities from whom the information or documents were obtained are afforded natural justice. If it is possible and appropriate in the circumstances, the OAIC will aim to provide the entities with notice that the OAIC intended to share the information or documents, together with information about the circumstances of the intended sharing, and give the entities a reasonable opportunity to object to the intended sharing. However, the OAIC will generally not provide an individual or entity with an assurance that the OAIC will not publicise its regulatory action or that it will give advance warning.
3.8 Prior to sharing information or documents under either section 33A or 33B, the Commissioner would have regard to:
- the extent to which the information and documents are relevant, necessary and useful to the receiving body
- the extent to which the information and documents are already in the public domain or are likely to become so
- whether the sharing would pose a serious threat to the life, health or safety of any individual, or to public health or public safety
- the impact of the sharing on the rights or interests of any entity, including the privacy of individuals
- whether the sharing is likely to prejudice any enforcement related activities or investigations by an enforcement body, the OAIC or another agency
- whether the sharing will, or is likely to, disclose any confidential commercial information
- the harms or benefits likely to result from the sharing
- any other matters the Commissioner considers relevant.
Information sharing with other authorities
3.9 Section 33A facilitates better cooperation between the Commissioner, enforcement bodies and regulatory authorities and entities, for example, privacy regulators in foreign jurisdictions, in order to investigate and take appropriate action in respect of privacy breaches, threats and risks.
3.10 The Commissioner may share information with both domestic and international bodies:
- Domestic bodies comprise Australian enforcement bodies, alternative complaint bodies and State or Territory authorities that function to protect the privacy of individuals (such as the privacy commissioner of a State or Territory), and
- International bodies comprise an authority of the government of a foreign country that function to protect the privacy of individuals (such as the foreign equivalents of the OAIC).
3.11 The Commissioner’s information sharing power is subject to the following limitations in s 33A which ensure that the exercise of the power will be reasonable, necessary and proportionate:
- the Commissioner can only share information for the purposes of the Commissioner’s, or the receiving body’s, exercise of powers or performance of functions and duties
- the information or documents must have been acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act
- the Commissioner must also be satisfied on reasonable grounds that the receiving body has satisfactory arrangements for protecting the information or documents
- where the Commissioner has obtained information or documents from an Australian Government agency, the Commissioner may only share the information or documents with an Australian Government agency
- if the information is shared with a receiving body under section 33A, the receiving body may only use the information for the purposes for which it was shared.
3.12 Where it is deemed necessary to share information with foreign regulators, the information exchange will ordinarily occur under information sharing frameworks which protect the confidentiality of such information, for example the Global Cross Border Enforcement Cooperation Arrangement, the APEC Cooperation Arrangement for Cross-Border Privacy Enforcement or a memorandum of understanding. More information about the international and domestic regulators we work with and the arrangements that underpin those relationships is available on the OAIC’s website.
Disclosing information in the public interest
3.13 Section 33B permits the Commissioner to disclose certain information (including personal information) acquired in the course of exercising powers or performing functions or duties under the Privacy Act, provided the Commissioner is satisfied the disclosure is in the public interest. Section 33B permits disclosure of information to the public. This is contrasted with disclosures under s 33A which may be made only to a limited range of receiving bodies in limited circumstances.
3.14 Section 33B empowers the Commissioner to disclose or publish information relating to privacy and personal information, for example, information about an ongoing investigation on the OAIC’s website. This ensures the public are informed about privacy issues and to provide assurance to the community that the OAIC is discharging its duties.
3.15 The disclosure power is subject to the Commissioner being satisfied on reasonable grounds that the disclosure is in the public interest, which ensures that it is reasonable, necessary and proportionate. To determine whether the disclosure is in the public interest, the Commissioner must consider:
- the rights, freedoms and legitimate interests of any person including a complainant or respondent
- whether the disclosure could prejudice an investigation by the Commissioner which is underway
- whether the disclosure will or is likely to disclose the personal information of any person
- whether the disclosure will or is likely to disclose confidential commercial information
- whether the disclosure would be likely to prejudice enforcement-related activities conducted by or on behalf of an enforcement body.
3.16 The Commissioner may also have regard to any other matter the Commissioner considers relevant when determining if a disclosure is in the public interest. For example, the Commissioner may have regard to any consultation with affected entities, and any actions affected entities have taken (such as where the entity has already notified individuals about particular conduct or privacy issues).
 This is referred to as ‘Johns principle’, which was set out in the case of Johns v Australian Securities Commission (1993) 178 CLR 408.
 As summarised in Greenleaf, Graham --- "Johns v Australian Securities Commission"  PrivLawPRpr 5; (1994) 1(1) Privacy Law & Policy Reporter 10.
 Section 6(1) of the Privacy Act defines ‘enforcement body’ as: (a) the Australian Federal Police; or (aa) the Integrity Commissioner; or (b) the ACC; or (c) Sport Integrity Australia; or (ca) the Immigration Department; or (d) the Australian Prudential Regulation Authority; or (e) the Australian Securities and Investments Commission; or (ea) the Office of the Director of Public Prosecutions, or a similar body established under a law of a State or Territory; or (f) another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or (g) another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue; or (h) a police force or service of a State or a Territory; or (i) the New South Wales Crime Commission; or (j) the Independent Commission Against Corruption of New South Wales; or (k) the Law Enforcement Conduct Commission of New South Wales; or (ka) the Independent Broad-based Anti-corruption Commission of Victoria; or (l) the Crime and Corruption Commission of Queensland; or (la) the Corruption and Crime Commission of Western Australia; or (lb) the Independent Commissioner Against Corruption of South Australia; or (m) another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries; or (n) a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or (o) a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue.
 Section 50(1) of the Privacy Act defines ‘alternative complaint body’ as: (a) the Australian Human Rights Commission; or (aa) the National Data Commissioner; or (b) the Ombudsman; or (ba) the eSafety Commissioner; or (c) the Postal Industry Ombudsman; or (d) the Overseas Students Ombudsman; or (e) the Australian Public Service Commissioner; or (f) the Inspector-General of Intelligence and Security; or (g) a recognised external dispute resolution scheme.