- In the first COVID-related privacy case in NSW, a sensible result should not be misunderstood: privacy protections still apply.
- Personal information may be used or disclosed if necessary to prevent or lessen a serious and imminent threat.
Else v Service NSW  NSWCATAD 172 (‘Else’) is the first judgment to consider the impact of the pandemic under NSW privacy laws.
April 2020, Service NSW, on behalf of the NSW government, sent an email to approximately 4.6 million members of the public, for which it had email addresses, linked to Service NSW online accounts. The purpose of the email was to urge members of the public to take steps ‘to slow the spread of COVID-19 and save lives’. The email outlined steps required by public health orders such as not visiting family and friends, and good practices such as maintaining social distance, hand-washing and so on.
The complainant, Else, was an account holder, but had not opted in to receive email newsletters from Service NSW. She complained that the use of her email address to send the email was a breach of Information Protection Principle (‘IPP’) 10, the Use principle, under s 17 of the Privacy and Personal Information Protection Act 1998 (NSW) (‘PPIP Act’).
The privacy law about using personal information
Section 17 provides:
‘A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless –
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.’
The complainant’s name and email address was ‘personal information’ as protected by the PPIP Act.