Information sharing between agencies

In effect from: 1 July 2025

Queensland government agencies must manage personal information in compliance with the privacy principle requirements in the Information Privacy Act 2009 (Qld) (IP Act). This includes when sharing personal information with other agencies or in response to critical events.

Sharing information between agencies

Agencies deliver services to the community in accordance with their specific responsibilities. Where these responsibilities overlap and/or interact with the responsibilities of other agencies, sharing information can aid in the efficient and effective targeting of government resources, support, and services.

Information sharing can lead to better informed government decision making and streamline government processes, particularly where the individual would otherwise be providing the same information to related agencies. This can be especially beneficial where the information may be difficult or traumatic to retell.

Sharing information can also provide enhanced protections for vulnerable members of the community, such as victims of family violence, by allowing better collaboration between support agencies.

Sharing personal information with another agency or agency will generally involve disclosing it. Any disclosure of personal information to another agency or agency must comply with Queensland Privacy Principle 6 (QPP 6).

Planning for information sharing

The steps an agency takes when planning to share information will depend on whether it will be one-off or an on-going arrangement.

Ongoing, regular sharing of personal information should be governed by a written agreement that sets out the parameters of the arrangement, including the grounds on which the sharing is permitted, any limitations on access and use of that information, and a process to address situations where the agreement is not followed.

If information sharing will be a regular occurrence, this needs to be reflected in the information provided to individual under QPP 5.

Addressing the below issues in an agreement can assist in ensuring the transferring agency and receiving agency meet their privacy obligations:

• Which officers will be involved in sharing the information before, during, and after? Generally, only officers who need to be involved in the process or subsequent use of the personal information should have access to the shared information.
• What is the nature of the information being shared? Is some or all of it sensitive or subject to specific security considerations?
• How is it being shared? This will often depend on the information's form, e.g., is it copies of paper or digital records or is partial/full access to an agency’s database being given?
• Is the sharing subject to audit or monitoring arrangements to ensure that the proposed objective is being/has been met and that only designated persons are involved in the process?
• Is there a timeframe for review of any long-term sharing arrangement?

Depending on the circumstances and information being shared, a privacy impact assessment (PIA) should be undertaken. A PIA will allow agencies to identify, assess, and manage any risks associated with the information sharing arrangement. Even if a PIA is not developed, assessing the risks associated with the intended information sharing can be an important part of privacy compliance.

One-off information sharing will generally not require a written agreement, but agencies need to consider their privacy obligations, decide whether sharing the information is appropriate, and document the disclosure.

For both one-off and ongoing sharing, the disclosing agency and the receiving agency must ensure they comply with the relevant privacy principles.

Sharing the information

As part of assessing any personal information sharing arrangement, agencies should identify:

• the purpose of sharing the information
• whether the sharing is authorised by an Act
• if disclosure is compliant with the QPPs
• if sharing involves disclosing it overseas.

A PIA can be useful for assessing and addressing these issues.

What is the purpose of the information sharing?

It is essential that both the disclosing agency and the receiving agency understand and agree on the purpose of any proposed sharing of personal information. The purpose will determine:

• whether the agency requesting it can do so without breaching QPP 3; and
• whether the disclosing agency can share the personal information without breaching QPP 6.

Is there an Act that requires or permits the sharing?

Personal information can be used or disclosed where doing so is authorised or required by law, or by a court or tribunal order. This includes where it's impliedly authorised or required, because the agency cannot rely on the law or order without using or disclosing personal information.

If an Act requires or permits the information to be shared, then the sharing will be authorised if it is done in accordance with any specific requirements in that Act. This may require agencies to assess the Act to ensure its provisions have been complied with.

For example, the Domestic and Family Violence Protection Act 2012 (Qld) (DFVP Act) creates an information sharing arrangement that allows agencies to share information where a person’s safety may be at risk. It requires consent to be sought where safe, possible, and practical but allows sharing without consent where:

• the agency reasonably believes a person fears or is experiencing domestic violence; and
• the information may help another service receiving the information to assess whether there is a serious threat to the person’s life, health, or safety because of domestic violence.

If disclosure is prohibited by law

The QPPs do not override provisions of other Acts that prohibit the disclosure of personal information. If information is subject to confidentiality or secrecy provisions, agencies must refer to the relevant Act to determine if it can be shared.

Privacy principle waivers

The IP Act allows for an agency's compliance with the privacy principles to be waived or modified where non-compliance is more in the public interest than compliance.

These waivers can allow information sharing that would otherwise be a breach of the privacy principles, for example waiving the privacy principles to permit for information sharing between agencies to settle longstanding Aboriginal land ownership issues.

Information sharing and law enforcement agencies

The IP Act contains a number of provisions dealing specifically with law enforcement agencies and enforcement-related activities. These provisions recognise that an agency’s use and disclosure of personal information for investigation and enforcement purposes may not be compatible with the privacy principles in all circumstances. For example, it would defeat the purpose of covert surveillance if an agency were required to inform the individual that their personal information was being collected.

Law enforcement agencies and enforcement-related activities are dealt with in three different ways in the IP Act:

• as part of the QPPs – agencies are bound by the QPPs but can rely on specific exceptions for law enforcement agencies and enforcement-related activities, eg QPP 6.2(e), 6.2(f), and 6.2(b).
• permitted non-compliance with some of the QPPs – section 29 excuses a law enforcement agency from complying with certain QPPs if necessary for an enforcement-related activity or other law enforcement function; and
• exemptions from the QPPs – under Schedule 1 of the IP Act, the privacy principle requirements do not apply to personal information in specific documents.

What if a law enforcement agency asks for personal information?

If a law enforcement agency (Agency One) requests information from any other Queensland government agency (Agency Two), Agency Two could rely on QPP 6.2(e) to disclose information to Agency One. However, Agency Two can only disclose if it is satisfied on reasonable grounds that the personal information is necessary for Agency One to carry out one or more ‘enforcement-related activities’ as defined in schedule 5 of the IP Act.

An agency which is asked to disclose personal information under QPP 6.2(e) must have sufficient evidence to satisfy itself that the disclosure is justified. In the event of a privacy complaint, the onus will be on the agency disclosing the personal information to demonstrate that it acted in compliance with the privacy principles. The agency may elect not to disclose personal information to a law enforcement agency under QPP 6.2(e) unless the request is made in writing by a sufficiently senior officer and sets out the reasons why the personal information is required.

If there is a regular, legitimate ongoing exchange of personal information between two agencies for law enforcement purposes – occurring consistently with QPP obligations then entering into a Memorandum of Understanding which sets out the requirements and procedures for each agency will minimise the risk of a privacy breach.

Information sharing in disaster events

Disaster events include natural disasters, such as tropical cyclones, floods, bushfires and storms, and the serious disruption caused by the impact of a pandemic, all of which can directly affect the public's health, safety, and well-being.

Disaster events can exact a corresponding cost on communities and businesses, and impact government's ability to deliver services. The risk and impact of disaster events is exacerbated during Queensland’s storm season and flu season which carries an increased risk of an outbreak of human influenza.

What is a disaster?

The Disaster Management Act 2003 defines a disaster as:

…a serious disruption in a community, caused by the impact of an event, that requires a significant coordinated response by the State and other entities to help the community recover from the disruption.

A critical component of this coordinated response is the timely exchange of accurate, complete, and up to date information, including the personal information of all individuals affected by a disaster event and those involved in its management.

Can agencies share personal information in a disaster or emergency situation?

There are privacy considerations whenever a Queensland government agency deals with personal information. While it is a common misconception that the privacy principle requirements in the IP Act work against the sharing of personal information between agencies, the reality is that they not only provide generous flexibility for information exchange in disaster event circumstances, they do so without compromising the privacy of that information once the disaster event has been dealt with.

Information about an individual is distinct from information about things associated with an individual or even information of great interest to individuals. For example, a land map showing the extent of flooding in a particular area would generally not be personal information, even though there would be individuals whose properties fall within the area shown on the map.

What flexibilities does the IP Act provide?

In the context of a disaster event, there may be no or few reasonable steps the agency can take to inform people under QPP 5 when collecting personal information.

An agency can use or disclose personal information to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety where it's impracticable to obtain the individual's consent. This will be extremely relevant in disaster events, the nature of which will often making obtaining consent impracticable.

While it could appear limiting that the threat must be serious, Queensland’s experience has shown that disaster events often have tragic consequences, meaning they will generally represent a serious threat. It is not necessary for the threat to be immediate or imminent, which allows this exemption to cover prevention; it can encompass steps taken to ensure that the threat does not eventuate.

If certain conditions are met, agencies can also use or disclose personal information if they reasonably believe doing so is reasonably necessary to locate a person reported as missing.

Individuals can expressly or impliedly consent to a secondary use or disclosure of their personal information. While it may be most common to seek consent when the agency wants to use or disclose the personal information, agencies could consider obtaining consent in advance of a disaster event, with the consent being relied on should a disaster occur.