What issues does this bulletin address?

This bulletin focuses on the "use and disclosure" principles. Separate bulletins focus on other principles in the IPPs such as the "collection" and "storage and access" principles.

The Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information Privacy Act 2002 (NSW) regulate the way public sector agencies handle personal and health information through principles referred to as Information Protection Principles (IPPs) and Health Privacy Principles (HPPs). This bulletin looks at the IPPs and HPPs that apply to the use and disclosure of personal and health information. The principles regulating personal information and health information are worded in similar terms.

Using and disclosing personal information

In the legislation, use of personal information and health refers to the treatment and handling of information within an organisation. In general, disclosure means making information available outside the organisation, other than to the individual to whom the information relates.

The legislation places limitations on the uses that can be made of personal information and health information and on the circumstances in which it can be disclosed. In general, information must not be used or disclosed for a purpose other than that for which it was collected unless consent for the use or disclosure is obtained from the person to whom the information relates.

When personal information is transferred between department staff for legitimate educational or management purposes, the transfer is regarded as a use of the information rather than as a disclosure.

There are criminal sanctions under the legislation for the unauthorised use and disclosure of personal information by public sector officials.

An example of misconduct in respect of personal information would include disclosing personal information about the child of a famous person to a journalist, regardless of whether payment or a bribe was offered.

The “use and disclosure” principles

The "use and disclosure" principles require that:

• the department must take reasonable steps to ensure that, before using personal information for a particular purpose, the information is relevant, accurate, up to date, complete and not misleading,
• personal information is used only for the purpose for which it was collected, unless:
  • the relevant individual has consented, or
  • the use is for a directly related purpose, or
  • the use of the information is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person,
• personal information is disclosed only for the purpose for which the information was collected unless:
  • the disclosure is for a directly related purpose where there is no reason to believe that the person concerned would object to the disclosure, or
  • the person concerned is reasonably likely to be aware or has been made aware that it is usual practice to disclose information of that kind to that other person or body, or
  • it is believed that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person,
• there must be no disclosure of personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual activities, unless:
  • the disclosure is with the express permission of the parent, guardian or caregiver of the student concerned, or
  • the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or to another person, and
• there must be no disclosure of personal information to bodies outside NSW unless:
  • the disclosure is to a jurisdiction with a recognised privacy law in place or the disclosure is otherwise authorised, or
  • the individual has consented, or
  • the department has taken steps to ensure that the information will be held, use and disclosed in a manner consistent with the principles, or
  • another exemption under the legislation applies.

Exceptions to the “use and disclosure” principles

There are some special exceptions to the “use and disclosure” principles in the legislation that apply to the department. The principal exceptions are contained in the department Privacy Code of Practice which can be found on the department’s intranet site. These exceptions allow the department to depart from the principles in certain circumstances.

The department’s Privacy Code of Practice relates only to personal information and not health information. For example, it modifies the use and disclosure IPPs to allow the department to:

• allow a parent or caregiver of a government school student to whom the personal information relates to providing consent for the use of the information for a purpose other than that for which it was collected
• depart from the IPPs to use or disclose personal information for the purposes of child protection and, where necessary, to promote and maintain a safe and disciplined learning environment and
• in certain circumstances, to disclose the personal information of a student enrolled in a government school to a parent or caregiver.

The Children and Young Persons (Care and Protection) Act 1998 (NSW) (the CYP Act) also provides for some exceptions with respect to the disclosure of personal information between government agencies where the personal information relates to the safety, welfare and well-being of a child or class of children. Chapter 16A and section 248 of the CYP Act contain the relevant exceptions and should be consulted when personal information about a child, young person or class of children or young people is being disclosed amongst government agencies.

Health information

Health information about an individual is separately governed by the Health Records and Information Privacy Act 2002 (NSW) (the HRIP Act). While the obligations with respect to the collection of health information are substantially similar to the obligations in the Privacy and Personal Information Protection Act 1998 (NSW) with respect to personal information, there are some variations.

For example, the use and disclosure principles in the HRIP Act explicitly allow for additional secondary usages or disclosures of health information in order to:

• find a missing person,
• perform research for the public good,
• assist in the investigation of suspected unlawful activity.

Frequently asked questions

A parent phones a school counsellor requesting information on a recent counselling session with their child. Should information be provided?

In all cases of a self-referral to the school counsellor, information can only be disclosed to a parent or caregiver of a student attending a government school with the express permission of the child or young person, or where the counsellor believes it is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person.

Where a parent, guardian or caregiver of a primary or pre-school aged student or a parent, guardian or caregiver of a student with a significant intellectual disability refers their child to the school counsellor, the school counsellor can provide relevant information to the parent, guardian or caregiver if it is in the child's best interests to provide the information.

Where a high school aged student is referred to the school counsellor by a parent or caregiver, information can only be disclosed to the parent or caregiver with the express permission of the child or young person, or where the counsellor believes it is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or to another person.

Should you provide names and addresses if requested from an external source?

No. Unless the people whose names and addresses are sought have given permission or were told at the time of collection of their personal information that it would be used for this purpose, neither the former student, nor the President of the P&C, nor the Member of Parliament has a legitimate right to have this information. You might suggest alternatives such as:

• announcing the event on social media,
• placing an advertisement in the local paper, or
• placing signs on community notice boards, or
• inserting in a newsletter a generic announcement written by those seeking the information, or
• asking those requesting the information to visit your school, college or workplace and make an announcement inviting people to contact them if they would like to be involved.

Does the legislation prevent the school from disclosing a student's exam marks to their parent or caregiver?

In general, no. The department's Privacy Code of Practice contains a specific exemption to ensure that parents, guardians or caregivers can be informed of personal information about school students where it is in the best interests of the student. In the vast majority of situations, it will be in the best interests of school students for parents, guardians or caregivers to be aware of the students' examination marks.

Do students have the right to challenge a decision to disclose personal information to a parent or caregiver?

Yes. Additional details regarding this can be found in section 3.2 of the department Privacy Code of Practice on the department's intranet site. The decision is to be reviewed by the principal, with a right of appeal to the district superintendent. In these cases, the principal may need to establish procedures to manage the review process.

What form of consent is required to override the limits on the use of personal information?

Where reasonably practicable, consent in writing should be obtained. This consent should be explicit and indicate clearly to what the individual to whom the information relates has agreed. Since breaches of the principles are subject to an internal review, evidence of consent may be required for a subsequent review.

Where it is not reasonably practicable to obtain consent in writing, you should make a file note of the conversation recording the particular matter to which the individual has consented.

Can a staff member report suspected misconduct involving personal information?

Yes. Since the department is empowered and obliged, by law, to perform effectively and address misconduct, staff reporting problems such as this through proper departmental channels are not in breach of privacy requirements of the Act. Similarly, ICAC, by law, can receive such information and therefore staff are not in breach of the Act if they report personal information to ICAC when making a complaint of misconduct.

It is worth noting here that protected disclosures under the Protected Disclosures Act 1994 (NSW) are exempt from the definition of personal information and health information under the legislation. This means that the privacy legislation does not apply in these situations.