All agencies – What to tell people when collecting personal information

Health agencies¹ are required to comply with the National Privacy Principles (NPPs), and all other agencies² with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).

Under IPP 2 and NPP 1(3), agencies and health agencies are required to provide specific information to individuals when they collect personal information³—this information is referred to as a collection notice. Please note that health agency collection notices have additional requirements.

In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.

The privacy principles

IPP 2—Collection of personal information (requested from individual)

(1)  This section applies to the collection by an agency of personal information for inclusion in a document or generally available publication.

(2)  However, this section applies only if the agency asks the individual the subject of the personal information for either—

(a) the personal information; or

(b) information of a type that would include the personal information.

(3)  The agency must take all reasonable steps to ensure that the individual is generally aware of—

(a) the purpose of the collection; and

(b) if the collection of the personal information is authorised or required under a law—

(i) the fact that the collection of the information is authorised or required under a law; and

(ii) the law authorising or requiring the collection; and

(c) if it is the agency’s usual practice to disclose personal information of the type collected to any entity (the first entity)—the identity of the first entity; and

(d) if the agency is aware that it is the usual practice of the first entity to pass on information of the type collected to another entity (the second entity)—the identity of the second entity.

(4)  The agency must take the reasonable steps required under subsection (3)—

(a)  if practicable—before the personal information is collected; or

(b)  otherwise—as soon as practicable after the personal information is collected.

(5)  However, the agency is not required to act under subsection (3) if the personal information is collected in the context of the delivery of an emergency service.Example—personal information collected during a triple 0 emergency call or during the giving of treatment or assistance to a person in need of an emergency service

NPP 1—Collection of personal information

(3) At or before the time or, if that is not practicable, as soon as practicable after, a health agency collects personal information about an individual from the individual, the health agency must take reasonable steps to ensure that the individual is aware of—

(a)  the identity of the health agency and how to contact it; and

(b)  the fact that he or she is able to gain access to the information; and

(c)   the purposes for which the information is collected; and

(d)  the entities, or the types of entities, to which the health agency usually discloses information of that kind; and

(e)  any law that requires the particular information to be collected; and

(f)    the main consequences, if any, for the individual if all or part of the information is not provided.

(4) If it is reasonable and practicable to do so, a health agency must collect personal information about an individual only from that individual.

(5) If a health agency collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subsection (3) except to the extent that—

(a)  (a) the personal information is collected under NPP 9(1)(e); or

(b)  (b) making the individual aware of the matters would pose a serious threat to the life, health, safety or welfare of an individual.

(6) If the information is required under a statutory collection, a health agency is not required to ensure that the individual is or has been made aware of the matters listed in subsection (3).

(7) In this section—

statutory collection means—

(a)  a register or other collection of personal information that a health agency is authorised or required to maintain under an Act for monitoring public health issues, including, for example, by identifying morbidity and mortality trends, planning and evaluating health services or facilitating and evaluating treatments; or

(b)  personal information collected by a health agency under an Act requiring a person to give information to the health agency.

What is a collection notice?

Despite its name, a collection notice does need to be a formal notice. Collection notice is simply a convenient term for the information an agency is obligated to make an individual generally aware of when collecting personal information from them.

This is:

• the purpose for which the information is being collected
• any law that requires the information to be collected; and
• any entities it is the agency's usual practice to disclose the information to⁴.

Purpose of collection

The purpose needs to be clearly stated and should be more specific than a general reference to a broad function. The aim is to provide enough information for a person to understand why the information is being collected and/or what it will be used for.

How much detail is necessary will depend on the circumstances. If, for example, the information is collected on a form and the purpose of the collection is straightforward and simple, the title of the form may be enough to inform the person of the purpose. Alternatively, a more detailed notice may be needed where the information being collected will be used for more than one purpose.

Legal authority for the collection

An agency does not require a legal authority to collect information, but the collection notice must include any that exist. These should be limited to laws that actually create an authority or obligation to collect information. Including references to legislation that broadly details the nature and extent of an agency's powers is not required.

Usual disclosures

Where an agency collects personal information and it knows that it usually discloses the information to other entities, details must be included in the collection notice. (For non-health agencies, this must include any entity to whom the information will be passed in turn).

This does not require an agency to imagine all future possible disclosures and include those. It only applies to disclosures an agency knows will, or are highly likely, to occur, because they are what the agency usually does with information of that kind. This may be, for example, because of a standing arrangement or a legislative obligation. It is not an agency’s usual practice to disclose information if it only does so in response to irregular requests or in exceptional cases.

When does an agency have to give a collection notice?

An agency must take all reasonable steps to provide a collection notice whenever it collects personal information from the individual it is about. If practicable, it must be given at or before the time of collection or as soon as practicable after the information is collected.

Practicable

Whether providing the collection notice before or at the time of collection is practicable or not can be determined by considering the nature of the information being collected and the circumstances surrounding the collection.⁵

For example, circumstances where it may be impracticable to provide a collection notice before or at the time of collection include where there is an urgency to the collection, where it could endanger an employee, or where the individual is incapacitated.

All reasonable steps

An agency is required to take all reasonable steps to give the individual a collection notice. If there are no reasonable steps the agency can take, then giving the notice is not required. However, this may be difficult to establish where the agency is collecting the information directly from the individual.

Generally, if the agency is in contact with the individual, it can provide them with a collection notice; even if it is not practicable to do so before the collection, a collection notice could be sent to the individual after the fact.

In most cases, for there to be no reasonable steps an agency could take would require there to be circumstance that would mean giving the notice:

• would inhibit or render pointless the collection of information
• would place an onerous or unreasonable burden on the agency; or
• could reveal personal information about third parties.

For example, where the information was being obtained covertly to investigate a potential wrongdoing, providing a collection notice would make the collection either pointless or impossible.

Ways to give a collection notice

Collection notices can be given in any way that makes the individual aware of the relevant details. The most suitable way will depend on:

• how the information is collected
• the amount of information (regarding handling, use and disclosure) that needs to be given to the individual; and
• any specific needs of the individual.

Collection notices can be prepared in advance—included on forms, added to telephone scripts, placed on websites, included in pamphlets, placed on notice boards, displayed at service counters or included in correspondence—and all officers should be trained to know when they need to be provided.  For example:

• If an agency collects personal information by asking someone to fill in a form then the notice should be printed on the form itself.  However the notice should not be hard to find or read (eg.  the font used for the notice should not be too small) and generic notices should not be used.
• Alternatively, where forms are being used, the collection notice can be included in a pamphlet that goes with the form. The pamphlet should be supplied at the same time as the form, and there should be a reference on the form referring individuals to the pamphlet.
• An agency seeking submissions on a consultation document should include the collection notice in the consultation document or in accompanying material that explains the submission process.
• If an agency collects personal information during an interview it can give the individual a verbal or written collection notice at the interview. If written, the interviewee must be given time to read the notice, and the interviewer should try to answer any questions the individual may have before the interview proceeds.
• Where personal information is collected over the phone, the collection notice could be given by way of a recorded message or given personally by the officer the individual speaks to. In the latter case, consideration should be given to pre-drafting the text and including it in staff instructions, and the reason for the notification should be explained clearly. A written copy should be provided to the individual if requested.

Ideally, where information collection is automated, eg through a website, the provision of a collection notice should be automatic.

Exceptions to the requirement to give a collection notice

Non-health agencies

Non-health agencies do not need to give a collection notice if they collect information while delivering an emergency service.

Additionally, under section 29 of the IP Act, if a law enforcement agency is satisfied on reasonable grounds that non-compliance is necessary to achieve or carry out an enforcement function it does not have to comply with the requirement to give a collection notice.

It is not sufficient for the agency to simply have a law enforcement function; it must demonstrate that the non-compliance is necessary to perform the function.

Health agencies

Health agencies do not need to give a collection notice if they collect information for a statutory collection.

Statutory collection means:

• a register or other collection of personal information that a health agency is authorised or required to maintain under an Act for monitoring public health issues, including, for example, by identifying morbidity and mortality trends, planning and evaluating health services or facilitating and evaluating treatments; or
• personal information collected by a health agency under an Act requiring a person to give the information to a health agency.

For example, this includes information collected for:

• the cancer registry
• licences or authorities under the Health (Drugs and Poisons) Regulation 1996 (Qld); and
• applications for licences under the Private Health Facilities Act 1999 (Qld).

Health agencies – collection notice when not collecting directly from the individual

Unlike other agencies, for health agencies the collection notice requirement applies when personal information about an individual is collected from somebody other than that individual. For example, when:

• a relative calls a health service with information about the health status of a patient
• a health agency collects information from a job applicant’s referee to determine their suitability for a position or undertakes a criminal history check on an employee; or
• it receives about a departmental employee from a patient or member of the public in the form of a complaint.

In practice, this means that where a third party gives information to a health agency about an individual, the health agency must, where practicable, take reasonable steps to ensure the individual is generally aware of the information that would normally be contained in a health agency collection notice. However, there is no requirement to tell the individual the content, source, or nature of the information collected.

Exceptions

This requirement does not apply if doing so would pose a serious threat to the life, health, safety or welfare of any person.

It also doesn't apply where the information collected was a family medical history, social medical history or other relevant information about any individual, it was collected for the purpose of providing any person with a health service, and it was collected from:

• the person who is to receive or is receiving the service
• a parent of the relevant individual
• a child or sibling of the relevant individual if a health professional believes the child or sibling has capacity
• a spouse or de facto partner of the relevant individual
• a relative of the relevant individual if the relative is a member of the relevant individual’s household
• a guardian of the relevant individual
• a person exercising a power under an enduring power of attorney made by the relevant individual that is exercisable in relation to decisions about the relevant individual’s health
• a person who has sufficient personal interest in the health and welfare of the relevant individual; or
• a person nominated by the relevant individual to be contacted in case of emergency.⁶