APP 6: Use and Disclosure of Personal Information

Primary purpose rule

APP 6.1 permits an APP entity to use or disclose personal information only for the particular purpose for which it was collected – the primary purpose. This means the entity must not use or disclose the information for any other reason unless an exception applies. This aligns with APP 3 collection of solicited personal information, which concerns the initial collection of the information.

The Office of the Australian Information Commissioner (OAIC) considers the primary purpose to be the specific function or activity that prompted the collection of the personal information, as identified at the time of collection. Determining the primary purpose is crucial for compliance with APP 6.

APP 6 does not restrict what a recipient can do with personal information once it has been lawfully disclosed for the primary purpose. Any further use by that recipient is subject to their own obligations under the Act.

Consent and reasonable expectation exceptions

APP 6 allows for the use or disclosure of personal information for a purpose other than the original purpose (a secondary purpose) in two key circumstances. Firstly, an organisation can use or disclose personal information if the individual has provided consent. This consent can be expressed or implied, and must be voluntary, informed, current, specific and given by an individual with the capacity to consent.

Secondly, a secondary use or disclosure is permitted if an individual would reasonably expect the information to be used or disclosed for that purpose. This exception applies where the secondary purpose is related to the primary purpose, but only if the information is not considered sensitive information.

For sensitive information, the requirements are stricter. A secondary purpose must be directly related to the primary purpose for a reasonable expectation exception to apply.

Required or authorised by law and enforcement

APP 6 allows an organisation to use or disclose personal information if it is required or authorised by an Australian law or a court or tribunal order. This covers situations where legal obligations necessitate the sharing of information.

Disclosure is also permitted under certain circumstances outlined in sections 16A and 16B. These include situations involving a serious threat to life, health or safety, and specific permitted health situations. APP 8 overseas disclosure may be relevant if the disclosure involves transferring information outside of Australia.

Finally, an organisation may use or disclose personal information if it reasonably believes it is necessary for enforcement related activities undertaken by or on behalf of an enforcement body.

Recording and other obligations

APP entities must adhere to specific recording obligations when using or disclosing personal information for enforcement-related activities. APP 6.5 mandates that a written note be created documenting such uses and disclosures. This requirement ensures accountability and facilitates compliance with the Australian Privacy Principles.

It is important to understand that APP 6 operates in conjunction with other principles. It must be read alongside APP 7 direct marketing which governs direct marketing activities, and APP 8, which addresses cross-border disclosures of personal information.

Breaching APP 6 constitutes an interference with the privacy of an individual, as defined by section 13 of the Privacy Act. Furthermore, sections 6DA and 6E extend the application of APP 6 to small business operators in specific circumstances, including those related to credit reporting and other defined activities.