The Law Handbook 2024

1102 Section 12: Government and the individual • how the individual can access and, if necessary, correct the information; • how the individual can complain about the entity’s use of the information; and • whether the entity is likely to disclose the information to overseas recipients and, if practicable, the countries where they are located. Often, entities will notify individuals about the above by providing a privacy notice at the time of collection, such as on a form used to collect personal information, or in a script read over the telephone. APP 5 recognises that in some cases it may be ‘reasonable’ to take limited, or even no, steps to provide notice or to ensure awareness of APP 5 matters. The APP guidelines provide a number of examples of when it may in fact be unreasonable; for example, if notification may pose a serious threat to an individual’s health and safety, or to public health or safety. APP 6: Use and disclosure of personal information APP 6 regulates organisations’ use and disclosure of personal information. APP 6 states that an entity should only use (or disclose) personal information for the purpose for which it was collected. An entity can use or disclose personal information about an individual for another purpose if: • the individual consents; or • the individual would reasonably expect the organisation to use or disclose the information for a secondary purpose, and the secondary purpose is related to the primary purpose (or directly related in the case of sensitive information). An example of a related secondary purpose is where an entity collects personal information to provide a service and uses that information to evaluate or improve that particular service. In the case of F v Medical Specialist [2009] PrivComr A17, a medical specialist collected health information from an individual but decided (for ethical and therapeutic reasons) to not treat the patient. The medical specialist referred the matter to the clinic manager so that the patient could receive treatment from another consultant. The Privacy Commissioner decided that the disclosure was directly related to the purpose for which it was collected, and would be within an individual’s reasonable expectation. For an example of where the secondary purpose was found to be not related, see E v Insurance Company [2011] Priv Cmr A5. An entity may also be able to disclose personal information for some secondary purposes related to the public interest (e.g. law enforcement, public safety, research purposes and emergency situations). APP 7: Direct marketing APP 7 concerns the circumstances in which an entity can use personal information for direct marketing. The term ‘direct marketing’ is not defined in the PA 1988; however, the Explanatory Memorandum to the PA 1988 states that it involves ‘communicating directly with a consumer to promote the sale of goods and services to the consumer’. The APP guidelines state that direct marketing can be through ‘a variety of channels, including telephone, SMS, mail, email and online advertising’. APP 7 prohibits private sector organisations from using personal information for direct marketing except in certain limited circumstances; if personal information has been collected directly from an individual, direct marketing is only permitted where: • the individual would reasonably expect the information to be used for the purpose of direct marketing; and • the entity includes a simple means to opt out of the direct marketing communications (and the individual has not made a request to opt out). The APP guidelines state that an organisation should not assume that an individual would expect their information to be used for direct marketing just because the organisation assumes the individual would welcome it. According to the APP guidelines, for ‘a means to opt out’ to be ‘simple’, it should require minimal time and effort. It should be clear, easily understood, accessible and free (or involve no more than a nominal cost; for example, a standard text message charge). If an individual has opted out of receiving direct marketing from an entity, the entity must not use or disclose the individual’s personal information for the purpose of direct marketing. Additional restrictions apply to using personal information for direct marketing if the individual would not reasonably expect their personal information to be used for direct marketing, or if the personal information was collected from a third party.