6.2 How can the Operator use protected information?
Protected information should not be handled in any way by a person without an authorised reason for doing so. This includes obtaining information, recording information, disclosing information to another person, and using information. This is a necessary protection to ensure the safety and privacy of information collected about people and institutions, and to ensure the public retains confidence in the Scheme overall.
The Operator can disclose protected information held by the Scheme about a person or institution to another officer or government institution only in circumstances permitted by the Scheme's legislation.
Disclosures to nominees
The Operator can disclose protected information they receive from a person to that person's assistance nominee or legal nominee. The nominee needs this information so they can be properly informed and act in the best interest of the person they are assisting at all times.
Act reference: NRSAct section 94 Additional authorisation-Operator disclosing to nominee
Disclosures in the public interest or to specific people
The Operator may disclose information, or authorise the disclosure of protected information, if the disclosure of the information is necessary and in the public's interest. This is only where:
- the information cannot reasonably be obtained from a source other than the Department of Social Services or Services Australia, and
- the person to whom the information will be disclosed has a genuine and legitimate interest in the information (including the Minister for Social Services, the Minister administering the Human Services (Centrelink) Act 1997, and the Prime Minister).
The Operator may disclose protected information provided to, or obtained by the Scheme for a non‑participating institution to a person for the purposes of encouraging that institution to join the Scheme.
This allows the Scheme to provide information about the Scheme, participating institutions or applicants where it is necessary to do so. For example, the Scheme may disclose to an institution not yet participating in the Scheme that it has been named in applications. The provision of this information will support the Scheme to encourage the institution to join the Scheme.
The Operator may disclose protected information to:
- a person or institution which is authorised to receive the information
- the Chief Executive of both Centrelink and Medicare where it relates to a Centrelink or Medicare program
- the head of a government institution for the purpose of something that is within scope of responsibility of that institution, or
- a relevant Commonwealth, state or territory government minister where they are authorised.
Once the Operator discloses protected information to a person for an authorised purpose, the person who received the protected information can then obtain, record, disclose and use this information, but only for the purposes permitted by law.
Act reference: NRSAct section 95 Additional authorisation-Operator disclosing in public interest or for another specified purpose
Disclosures for law enforcement or child safety or wellbeing
Where the Operator is satisfied it is reasonably necessary to disclose protected information for the enforcement of criminal law, or for the safety or wellbeing of children the Operator can do so. If the protected information is specifically about a person who has applied for redress, the Operator must consider any impacts that the disclosure might have on the person.
The Operator can disclose information for law enforcement or child safety purposes to a government institution that has a function addressing these purposes. Government officials working within the government institution are then permitted to obtain, record, use and disclose the protected information only if it is their job to do so for the purpose the Operator disclosed the information.
The Operator can impose in writing conditions on how government officials can handle protected information received for the purposes of law enforcement or child safety. Any person who receives protected information with conditions but engages in conduct (within the meaning of the Criminal Code Act 1995) that breaches those conditions may be subject to a penalty of 2 years imprisonment, 120 penalty units, or both. Any instrument containing conditions specified by the Scheme in writing is not a legislative instrument.