Grants of authorisation
If the public interest and the benefits to individual people justify it, the Information Commissioner can authorise departure from some of the Information Privacy Principles.
The Commissioner can authorise a public sector organisation to collect, use or disclose personal information in a way that would otherwise contravene or be inconsistent with IPP 1 (Collection), IPP 2 (Use and disclosure) or IPP 10 (Sensitive information).
Only a public sector organisation can apply for a grant of authorisation to depart from the IPPs.
When can an authorisation be granted?
The Commissioner may grant an authorisation if, having regard to the purpose for collecting, using or disclosing the personal information, the Commissioner is satisfied that:
(a) the public interest in collecting, using or disclosing the information outweighs to a substantial degree the interference with the privacy of persons that might result from collecting, using or disclosing the information; AND
(b) the benefit to persons of collecting, using or disclosing the information outweighs the interference with the privacy of those persons that might result from collecting, using or disclosing the information (s.81).
Paragraph (a) looks at the balance between the public interest and individual privacy interests. The public interest can include benefits to a class of individuals in an appropriate case. The public interest must outweigh the privacy interests to a substantial degree.
Paragraph (b) looks at the balance between the benefits to individuals and interference with individual privacy interests.
Both paragraphs (a) and (b) must be satisfied before an authorisation can be granted.
What can't be authorised?
The Commissioner can only authorise departure IPP 1, IPP 2, or IPP 10. The Commissioner can't authorise acts or practices that would also breach other Principles.
The procedure
These are likely to be common elements of the application process.
- The organisation consults with the Office of the Information Commissioner.
- The organisation prepares an application.
- The Commissioner gives preliminary consideration to the application. This may involve obtaining further information from the organisation and third parties, including a public consultation process.
- The Commissioner prepares a draft authorisation.
- The Commissioner may require an organisation to publish notice of its application either before or after a draft authorisation is prepared, depending on the amount of public consultation that is considered appropriate (if any).
- The Commissioner may convene a conference or take other appropriate steps to canvass views on the application or draft authorisation.
- The Commissioner determines whether to grant the authorisation, and if so, what terms or conditions apply.
Consult with the Information Commissioner
A public sector organisation that is considering making an application should first contact the Office of the Information Commissioner to discuss -
- whether there is a need to make an application; and
- what information is likely to be required by the Office to deal with an application.
At this time, the organisation should advise if it views the need for an authorisation as urgent.
The application
The applicant organisation must satisfy the Commissioner that -
- the public interest in the collection, use or disclosure outweighs to a substantial degree the interference with the privacy of persons that might result; and
- the benefit to persons of the collection, use or disclosure outweighs the interference with the privacy of those persons; and
- the Commissioner should exercise his discretion in favour of a grant of authorisation.
An application should provide all available information and evidence that supports, or runs contrary to, the grant of an authorisation. Public sector organisations have a duty to assist the Commissioner in making the correct decision, rather than merely representing the interests of the particular organisation.
It will frequently be useful for an organisation to include detailed draft procedures and policies for the implementation of the proposed act or practice, as the way in which a proposal is implemented can often have a significant effect on the potential for, and severity of, privacy implications.
Issues that should be addressed in an application include:
- The nature of the public interest objectives served by the interference with privacy;
- The extent to which the act or practice is inconsistent with persons' reasonable expectation of privacy;
- The potential for the act or practice to benefit the interests of individuals;
- The potential for the act or practice to harm the interests of individuals;
- The impact on the public interest or on persons if the practice or act is not permitted;
- Whether a code of practice would be more appropriate.
The application should also:
- identify the information privacy principle(s) that the act or practice may contravene or be inconsistent with;
- describe in detail the personal information involved, and the act or practice being done or proposed to be done;
- where possible, identify the class of people the act or practice relates to, including the expected number of people whose information may be involved;
- detail any other organisations involved and their role in the act or practice;
- explain or express a view on why the balance of the public interest and the benefit to persons outweighs any resulting interference with the privacy of persons, including examples where possible;
- identify alternative courses of action that have been considered that would not lead to contravening or being inconsistent with an IPP, and explain why those alternatives are not feasible;
- anticipate the nature, extent and frequency of the act in question;
- indicate if the application is considered to be urgent and describe why;
- indicate the length of time the authorisation should be in place;
- consider terms and conditions that might apply to an authorisation.
If an application relates to the disclosure of personal information, the organisation should also indicate:
- the names of other organisations that will receive the information, indicating whether the recipient is covered by the Information Act, another Act or not;
- safeguards on further use and disclosure by the recipient such as security or access arrangements, agreements between the parties or sanctions for breach of an agreement;
- any conditions on the use or storage of the information by the recipient;
- the scope of the proposed disclosure;
- procedures for notifying affected individuals and/or obtaining their consent;
- the steps the organisation has taken to ensure the recipient of the information is appropriate in terms of their functions and interests, and that disclosure is necessary;
- how the proposed recipient has demonstrated awareness of their privacy obligations.
Preliminary consideration of application
After receiving an application, the Commissioner may then obtain additional information or evidence from the organisation and from third parties. This may include a requirement for public notification and consultation.
If, after considering an application and any other materials obtained, the Commissioner is of the preliminary view that an authorisation may not be granted, the Commissioner may advise the organisation of the basis for that preliminary view, and invite it to make a submission in response to that preliminary view, before the Commissioner proceeds to a determination.
Draft authorisation
The Commissioner may prepare a draft authorisation taking into consideration any matters, including those raised in the application.
A draft authorisation may be accompanied by an explanation about any factors justifying or necessitating the grant of authorisation.
The Commissioner may provide a copy of the draft authorisation to the applicant and interested parties and seek feedback.
The Commissioner may canvass views on the application and may convene a conference of people or organisations considered to have a real and substantial interest in the application.
Notice of application
An organisation applying for an authorisation may be required to publish notice of its application at any stage during the application process. The Commissioner will determine the extent of any notice required, taking into account:
- whether the act or practice is a continuation of an existing one;
- any possible adverse consequences for individuals resulting from the act or practice;
- whether third parties may criticise or object to the act or practice;
- whether the effects of the act or practice are minor and non-controversial.
An organisation may be required when it publishes notice of the application to invite expressions of interest or submissions to be sent to the Commissioner. It may be useful for the organisation to provide a copy of its application along with these guidelines to interested parties.
Determination
In determining whether to grant an authorisation, the Commissioner will consider all the available information, including any submissions received or matters raised at any conference that has taken place.
A determination will include a statement of reasons.
A copy of the determination will be sent to the applicant organisation. The Commissioner may also disclose the determination to parties with a real and substantial interest in the application or publish the determination in appropriate circumstances. Details of the determination will usually be published on the Commissioner's website. The organisation may also be required to publish the determination or the terms of the authorisation as a condition of grant.
Terms and conditions
Where an authorisation is granted, the Commissioner may also determine any terms or conditions to apply.
Terms and conditions that might be considered by the Commissioner include:
- a time limit on the authorisation
- requirements for affected individuals to be notified
- establishment of mechanisms for individuals to "opt out" of the collection, use or disclosure
- requirements for a review of the exercise of the authorisation
- requirements for a report or audit of compliance with conditions
- determination of timeframes or other circumstances for reconsideration of the grant
- adoption of arrangements that enhance privacy in a different way to that required by IPPs 1, 2 and 10.
Departure from the IPPs is not a course to be assented to lightly. In most cases, departures should be subject to regular review and justification, based on actual experience of the benefits and problems that arise. It is therefore anticipated that most authorisations will be subject to terms and conditions limiting them as to time and requiring a review and report to the Commissioner, in order to establish whether a further grant is required and justified.
Acknowledgments: Parts of this page have been adapted with permission from guidelines produced by the Federal Privacy Commissioner. Guidelines produced by the New Zealand Privacy Commissioner were also referred to in the course of production.
Last Updated on
19 June, 2008

