In brief

Institutions frequently receive informal requests for records outside the scope of pre-litigation discovery or court ordered subpoenas. In these situations, it can be difficult for an institution to navigate its obligations to disclose personal information given strict privacy laws and broad, onerous requests by individuals. 


Privacy and handling of information is governed by the Privacy Act 1988 (Cth) (Privacy Act). All institutions should have a Privacy Policy and in certain circumstances, this is mandatory under the Privacy Act. 

The Australian Privacy Principles (APP) are contained within the Privacy Act. APP12 governs when an institution is asked to give an individual, or their intermediary, access to any personal information they control about that individual.

Personal information includes names and contact details, sensitive information, credit information, photographs or employee record information. Sensitive information includes matters such as racial or ethnic origin, religious or political associations, sexual orientation, health or criminal information and generally has the highest level of privacy protection. 

Documents such as newsletters, magazines, yearbooks or other publicly available publications do not comprise personal information and may be disclosed without concern for breaching the privacy of individuals. 

An institution is required to respond to the individual's request for personal information within 30 days of receipt of the request and to provide disclosure within a reasonable period thereafter. Before disclosing any information, an institution should take steps to verify an individual's identity such as through provision of a signed Authority to Receive. An institution can charge for costs incurred in producing the personal information, provided the charge is not excessive. This may include staff costs in searching for, locating, reproducing and sending the information to the individual, or their intermediary. 

If another individual, organisation or agency seeks personal information, APP6 dictates that the personal information can only be used or disclosed in ways which the individual would have expected (known as the primary purpose) or if an exception applies. Exceptions include implied or actual consent, if sought by law or court order, if reasonably necessary for an enforcement body or if being disclosed to a related body corporate. Care should be taken where there are uncertainties in the application of these exceptions. 

Authority to Receive

An Authority to Receive is an informal document seeking personal information by an individual and holds no legal basis for compulsion of records other than the personal information relating to the individual. 

Requests for Staff Files

Whilst information of other individuals may be sought (such as staff files), the Privacy Act and APP still applies to this information, and an institution should not disclose any records other than the personal information of the individual who has provided the authority. Redactions of those records may be necessary to protect the personal information of other individuals (who might include other students and staff). 

If personal information is sought regarding a person who is deceased, the Privacy Act will no longer apply. Therefore any information relating to a deceased person can be disclosed, unless that document also refers to a living person to whom reference should be redacted. 

National Redress Scheme

The use and disclosure of protected information is governed by the National Redress Scheme for Institutional Child Sexual Abuse Act 2018 (Cth) (Act).

Protected Information includes information similar to personal information in addition to an individual's disclosure of abuse made to the National Redress Scheme (NRS). The NRS Act dictates that protected information cannot be disclosed for any purpose other than the NRS, despite one instance of contrary case law in Victoria (see Jagoe v Trustees of the Marist Brothers & Anor [2022] VSC 563) which has not been adopted by other jurisdictions. Care should be taken not to disclose protected information to other individuals or institutions. 

Documents Sought by Law or by Court Order

An institution may also receive a formal request for records in the form of pre-litigation discovery, police warrants, subpoenas and notices to produce. Each of these are exceptions to the disclosure of documents under the Privacy Act and must be complied with subject to the rules and laws within each Australian jurisdiction. 

For example, in NSW, if a subpoena to produce is issued on an institution seeking personal information, the records containing the personal information must be produced in unredacted form if they relate to a fact in issue in the court proceedings. This subpoena may consequently disclose personal information of persons unrelated to the court proceedings and who may not have consented to the disclosure of their information by the institution but must nevertheless still be produced by the institution. 

The disclosure of records, particularly in sensitive historical matters, can form important evidence in any criminal or civil proceedings. We therefore recommend exercising great care considering an institution's legal obligations before disclosures are made.

This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2024.

Related Articles