Privacy and Data Rights
Organisation Shares Personal Information Without Consent
Your right to control how your personal information is used and shared
Premium
foundational
7 minutes
The Situation
What They Said
“We shared your details with our partners. It's in our terms and conditions.”
The sharing of personal information with third-party 'partners' — marketing companies, data brokers, affiliated businesses, and commercial partners — is one of the most common and least transparent practices in the modern digital economy. Australians regularly provide personal information to organisations — retailers, loyalty programs, health services, apps, subscription services — and that information is then shared, sold, or used for purposes far removed from what the individual understood they were agreeing to. The revelation that personal information has been shared is often delivered as an afterthought: 'it's in the terms and conditions.'
The Privacy Act 1988 (Cth) governs how organisations that are subject to its provisions may collect, use, and disclose personal information. Australian Privacy Principle 6 (APP 6) prohibits an organisation from using or disclosing personal information for a purpose other than the primary purpose for which it was collected, unless an exception applies. The most commonly invoked exceptions are consent and a 'related secondary purpose' that the individual would reasonably expect — but burying a broad consent in a lengthy terms and conditions document that most people do not read may not satisfy the meaningful consent standard the OAIC expects.
The gap between what people think they are consenting to and what terms and conditions actually permit is a major privacy issue in Australia. The Privacy Act is currently under reform — the Australian Government's proposed reforms include stronger consent requirements and more meaningful control over data sharing — but existing law already provides more protection than most individuals realise. Understanding APP 6 gives individuals the tools to challenge data sharing that goes beyond what they genuinely understood and agreed to.
The Fallacy
Terms and Conditions Consent Fallacy
The organisation is asserting that the existence of a clause somewhere in their terms and conditions — a document the vast majority of people do not read, often do not have the opportunity to negotiate, and frequently must accept as a condition of accessing a service — constitutes meaningful consent to share personal information with third parties. Australian privacy law does not treat 'we put it in the T&Cs' as automatically satisfying the consent requirement under the Privacy Act.
The Privacy Act and the Australian Privacy Principles require that consent be 'voluntary, informed, current, specific, and given by someone with the capacity to consent.' A general clause buried in a long document, or pre-ticked boxes that require active unchecking, does not satisfy the 'informed' component when the individual had no realistic opportunity to understand what they were agreeing to. The OAIC's guidance on consent under the APPs is explicit about this — consent that is not genuinely informed is not valid consent under Australian privacy law.
Furthermore, APP 6 creates a secondary use/disclosure restriction even where consent was given. Personal information collected for one primary purpose — for example, processing a purchase — cannot be disclosed to a third party for an entirely unrelated purpose — for example, targeted marketing — simply because a broad consent was buried somewhere in the paperwork. The secondary purpose must be either directly related to the primary purpose, or the consent must be specifically to that secondary purpose.
What the Law Says
Your Legal Foundation
Privacy Act 1988 (Cth)
Australian Privacy Principle 6 — Use or Disclosure of Personal Information — Restriction on Secondary Use and Disclosure
“If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless: the individual has consented to the use or disclosure; or the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the entity to use or disclose the information for the secondary purpose.”
An organisation that collects your contact details to process a purchase, and then shares those details with an unrelated marketing partner, is using your information for a secondary purpose. Unless you specifically consented to that secondary use — with meaningful consent, not buried fine print — or the secondary use is something you would reasonably have expected, the organisation has likely breached APP 6.
Privacy Act 1988 (Cth)
Australian Privacy Principle 1 — Open and Transparent Management of Personal Information — Privacy Policy Must Clearly Disclose How Information Is Handled
“An APP entity must have a clearly expressed and up-to-date policy about the management of personal information by the entity. The policy must include the kinds of personal information collected, how it is collected and held, the purposes for collection and disclosure, and information about how an individual may make a complaint.”
An organisation's privacy policy must clearly disclose that personal information will be shared with named or described third-party partners, and for what purposes. If the privacy policy does not clearly describe the sharing practice you have discovered, the organisation may be in breach of APP 1. This can be raised with the OAIC as part of a privacy complaint.
Privacy Act 1988 (Cth)
Australian Privacy Principle 12 — Access to Personal Information — Right to Access Your Own Information
“If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.”
Before or alongside any complaint about data sharing, an individual can request access to all personal information the organisation holds about them under APP 12. This enables the person to understand the full scope of what was collected and what was shared, which is essential evidence for a privacy complaint to the OAIC.
What Scripture Says
God's Word on This
Proverbs 11:13 (NIV)
“A gossip betrays a confidence, but a trustworthy person keeps a secret.”
Scripture values trustworthiness in handling what others have confided. When a person shares their personal information with an organisation — their address, their health details, their purchasing habits — they are extending a form of trust. An organisation that passes that information on to unnamed third parties without genuine consent is betraying that trust in exactly the way this verse describes. Pursuing a privacy complaint is a lawful way of holding that betrayal to account.
Matthew 7:12 (NIV)
“So in everything, do to others what you would have them do to you, for this sums up the Law and the Prophets.”
The golden rule, applied to data handling, demands that organisations treat individuals' personal information with the care and respect they would want their own information to be treated with. An organisation that shares personal information without meaningful consent is not applying the golden rule — it is treating customers as data sources rather than as people. The Privacy Act codifies this ethical standard into law.
🔒
You Know the Law — But Do You Know What to Say?
Reading your rights is one thing. Using them under pressure — calmly, correctly, in the right words — is what actually protects you. Members get the scripted rebuttal for this exact situation: what to say first, what to say if they push back, the tone to use, and the constitutional provision to cite. Practise out loud with audio until it's automatic.
Unlock This Scenario — R89/month
Identity & Dignity and Gender & Equality are free · All 17 domains from R89/month · Cancel anytime
Not ready to subscribe? Get the free checklist first.
10 South African rights scenarios — what to say, what to cite, what to refuse. Free, no card needed.
What They'll Say Next
Common Counter-Arguments
After you respond, they may push back with these arguments. Members get the full rebuttal for each.
They might say: “We have a data processing agreement with our partners — they're bound by the same privacy rules we are.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
They might say: “You opted out of marketing from us, but our partners are separate organisations — you have to opt out from them directly.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
Know Your Rights. Know Your Word.
149 South African rights scenarios — exact rebuttals, constitutional law, and Scripture. Practise out loud with audio. Free to start with 2 full domains.
Try Free — Identity & Dignity
No credit card · Upgrade anytime for all 17 domains