Australian privacy law allows an organisation or agency to use or disclose your personal information for the reason they collected it (the primary purpose), including for direct marketing activities.
An organisation or agency can’t use or disclose your personal information for another reason (a secondary purpose) unless an exception applies. Exceptions include:
- you’ve consented to an organisation or agency using or disclosing your personal information for a secondary purpose
- an organisation or agency uses or discloses your personal information because they think it’s reasonably necessary for enforcement-related activities carried out by, or on behalf of, an enforcement body
- a secondary purpose is required or authorised under an Australian law, or court or tribunal order.
Is an organisation or agency ‘using’ your personal information?
An organisation or agency is ‘using’ your personal information if they control how the information is handled. For example if they:
- search their records for your personal information
- access and read the personal information they hold about you
- make a decision based on the personal information they hold about you
- pass your personal information from one part of the organisation or agency to another.
An organisation or agency is even using your personal information if an employee without authority accesses it while doing their work duties.
Is an organisation or agency ‘disclosing’ your personal information?
An organisation or agency ‘discloses‘ your personal information if they give access to it, or show it to another individual, organisation or agency. This includes situations where the individual, organisation or agency receiving your personal information already knows it.
For more information about the use and disclosure of personal information, see the Australian Privacy Principles guidelines, Chapter 6
