Is it a breach of privacy to disclose information about a customer to a law enforcement agency? Australian Privacy Principle 6.1 permits a business or organisation regulated by the Privacy Act which holds personal information about an individual to disclose that information if APP 6.2 applies, including if a warrant is issued or if the organisation is reporting crime.
Amongst other things APP 6.2 permits disclosure if the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order or “a permitted general situation” exists in relation to the use or disclosure of the information by the APP entity.
The APP Guidelines give examples of where an APP entity may be required or authorised by law to use or disclose personal information. These include where:
- a warrant, order or notice issued by a court requires the entity to provide information, or produce records or documents that are held by the entity;
- the entity is subject to a statutory requirement to report certain matters to an agency or enforcement body, for example, specific financial transactions, notifiable diseases and suspected cases of child abuse.
Section 16A of the Privacy Act lists seven permitted general situations (two of which only apply to government agencies) when personal information can be disclosed including when the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in.
APP 6.2(c) authorises an entity taking appropriate action in relation to suspected unlawful activity or serious misconduct.
APP Guideline 6.36 explains that an APP entity may use or disclose personal information where the entity:
- has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and
- reasonably believes that the collection use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.
Examples of where this permitted general situation might apply include the use of personal information by an APP entity that is investigating fraudulent conduct by a client in relation to the entity’s functions or activities.
The Anti-Money Laundering and Counter-Terrorism Financing Act
For financial service providers and and other entities regulated under the AML/CTF Act, section 41 sets out when the organisation must make a suspicious matter report.
A reporting entity is obliged to report suspicious matters to AUSTRAC within a specified timeframe (either 24 hours or 3 business days depending on the type of matter) if, for example, in the course of providing a designated service the reporting entity suspects on reasonable grounds that information that the reporting entity has concerning the provision, or prospective provision, of the service may be relevant to investigation of, or prosecution of a person for, an offence against a law of the Commonwealth or of a State or Territory.
Section 235 protects the reporting entity from liability in relation to anything done, or omitted to be done, in good faith by the entity or its officer, employee or agent in complying with the Act.