Centrelink’s decision to release a welfare recipient’s personal information to a journalist has drawn heavy fire over the past 48 hours.

Welfare recipient Andie Fox wrote an article for Fairfax Media last month setting out her difficulties dealing with the agency after she began receiving calls from a debt collector. But her interactions with Centrelink and claim history were later set out – with some information she says is incorrect – in a separate article by Fairfax Media.

The case has thrown up a range of issues and reopened the question of how and when a government agency can release personal information about an Australian.

Here’s an outline of when the government can release personal information and what can be done if a person feels that their privacy has been violated.

When can a government agency release personal information they hold about a person?

Most government bodies have special provisions that not only prohibit the release of any data they hold but also make it an offence to do so. In Centrelink’s case, information about a welfare recipient’s case would be considered protected information. This makes it illegal to release personal information to another entity.

There are exceptions to this rule. One of them is the power the secretary holds to release information “to such persons and for such purposes” as they see fit. This involves issuing a “certificate” to formalise the release of information. This process is part of the accountability process; because of the gravity of releasing a person’s personal information it should be clearly documented and outlined by the secretary. There are even guidelines issued by the social services minister that guide the secretary on when and how they can do this, which could include correcting a comment made in the media.

Is this how Centrelink accessed Fox’s data?

Centrelink said on Monday the secretary didn’t issue a certificate to release the information. A spokeswoman said the department was able to use personal information “for social security law or family assistance law purposes” and it was entitled to release information to correct the record. The spokeswoman said, “They do not need to be formally authorised by the secretary.”

This is a new development and has surprised a number of administrative lawyers and privacy experts.

Penalties can be imposed on organisations that breach the act if a person complains their privacy has been breached

The agency appears to be relying on a section of the act it says precludes the need for a certificate. This section contains a very generally drafted line authorising the disclosure of information “for the purposes of the social security law”.

What’s wrong with this approach?

It’s difficult to see how releasing the details of a welfare recipient to a journalist meets a purpose of social security law. Perhaps not surprisingly, there’s nothing terribly specific on this issue set out in the act.

If Centrelink’s interpretation is correct, then this has profound implications for how the agency can use personal information. It means it can avoid using the more formal mechanisms to release a person’s details to a news outlet.

But not just a news outlet; foreseeably this power could be used for any purpose where there is even the most remote connection to the vast body of social security law that exists.

Some organisations have already said they regard the lawfulness of it as seriously debatable.

A senior lecturer at the La Trobe law school, Darren O’Donovan, wrote in a post published on Tuesday it was unlikely the organisation could release personal information without the secretary authorising it with a certificate.

Which options do people have if they feel their personal information has been breached?

The Privacy Act regulates the use and disclosure of personal information for all Australians. Financial penalties and other remedies can be imposed on organisations that breach the act if a person complains their privacy has been breached.

One of the key privacy principles states that if a government entity holds personal information it can’t disclose this information to another person.

An exception to this rule is if release of the personal information is authorised by another law. This means that if Centrelink is correct, and it does have the authority to release personal information without a certificate, there isn’t likely to a breach of privacy laws.

If Centrelink’s reasoning for releasing information isn’t accepted, then it becomes more of an issue for Centrelink. But it still doesn’t necessarily constitute a breach of privacy laws if the release of the information to the media was considered a reasonable “secondary use” under the privacy principles.

The Office of the Australian Information Commissioner’s guidelines outline a number of examples where a secondary use can apply, including where “the individual makes adverse comments in the media about the way an APP entity has treated them. In these circumstances, it may be reasonable to expect that the entity may respond publicly to these comments in a way that reveals personal information specifically relevant to the issues that the individual has raised.”

It could arguably still be viewed as a release of personal information that was disproportionate to the issue Centrelink was seeking to address.

Irrespective of whether a complaint has been lodged, the privacy commissioner can also launch an own motion investigation. The current commissioner, Timothy Pilgrim, has previously taken this step to investigate the immigration department for accidentally disclosing the personal details of almost 10,000 asylum seekers held in detention.

Pilgrim told Senate estimates on Tuesday he was making preliminary inquiries of Centrelink to determine whether it had the lawful authority to release Fox’s personal information.

It remains to be seen whether the commissioner will launch an investigation.