Key privacy concepts

The IP Act applies to agencies. Section 18 provides that an agency is a Minister, a department, a local government, and a public authority.

If a body is established to help an agency, or perform functions connected with an agency, then it is considered to be part of that agency and not an agency in its own right. These bodies can include boards, councils, committees and subcommittees.

Agency does not include the entities listed in schedule 2 of the IP Act, which are either entirely excluded from the IP Act, or excluded for specific functions. These include the Legislative Assembly, commissions of inquiry, Government Owned Corporations, and courts and tribunals in relation to their judicial or quasi-judicial functions.

Australian law means a law of the Commonwealth or a State and includes the common law. This includes the requirement to provide people with natural justice.

A contracted service provider bound under chapter 2, part 3 of the IP Act to comply with the QPPs, the overseas disclosure rule in section 33, and any QPP code issued under section 41, as if the contracted service provider were an agency.

Consent is central to information privacy, which involves control over and knowledge about what is being done with an individual’s personal information.

The QPPs do not automatically require agencies to obtain consent before they can collect, use, or disclose personal information, but it can be an important element in QPP compliance.

As far as practicable, agencies should implement procedures and systems to obtain and record consent. This may assist to resolve any future question of whether the agency obtained consent.

Elements of consent

Consent in the QPPs means express or implied consent. The four key elements of consent are:

• the individual is adequately informed before giving consent
• the individual gives consent voluntarily
• the consent is current and specific, and
• the individual has the capacity to understand and communicate their consent.

Whether these requirements can be met will depend on the specific circumstances and the nature of the information and the individual.

Express or implied consent

Express consent means consent was explicitly given, for example, orally or in writing. It could include a handwritten signature, an oral statement or statement given in sign language, or use of an electronic medium or voice signature to signify consent.

Implied consent arises where an individual's consent can reasonably be inferred from the conduct of the individual and the agency.

As a general rule, agencies should seek express consent rather than relying on implied consent. It can be a risk to rely on implied consent, and the more sensitive the personal information or privacy invasive the circumstances, the stronger the case becomes for requesting express consent.

Whether an individual has impliedly consented is an objective test, to be determined by a reasonable inference from the individual’s actions. Relying on implied consent requires the agency to make a judgement about what an individual’s actions mean. Wrong decisions can lead to serious breaches of privacy, and if a complaint is made, the onus is on the agency to prove the implied consent.

Inferring consent

Generally, an individual’s silence should not be taken as consent. While there may be exceptions, it should not be assumed that an individual gave consent just because they did not object to, for example, notice of a proposed collection, use or disclosure.

Additionally, consent should not be inferred simply because:

• most people have consented to the same use or disclosure
• the agency believes the benefit to the individual of consenting means they would consent if asked
• the individual has consented in the past; or
• the circumstances involve the individual's spouse or family member.

For example:

• If an individual appeals to an agency that handles complaints, that agency should not assume the individual would consent to it disclosing personal information to the agency’s State or Territory counterparts.
• An agency should not assume that because an application for a particular benefit consents to their referee knowing some personal information about them, they consent to all related information being disclosed to the referee. An agency can only assume an individual consents to the extent that there is conclusive evidence of consent.

If an individual’s intentions are ambiguous or there is reasonable doubt about the individual’s intention, consent must not be assumed.

Opt-out mechanisms

Use of an opt-out mechanism to infer an individual’s consent will only be appropriate in limited circumstances, as the individual’s intention in failing to opt-out may be ambiguous.

An agency will be in a better position to establish implied consent where, relevantly:

• the opt out option was clearly and prominently presented
• it is likely that the individual received and read the information about the proposed collection, use or disclosure, and the option to opt out
• the individual was given information on the implications of not opting out
• the opt out option was freely available and not bundled with other purposes
• it was easy for the individual to exercise the option to opt out, for example, there was little or no financial cost or effort required by the individual
• the consequences of failing to opt out are not serious; and
• an individual who opts out at a later time will, as far as practicable, be placed in the position as if they had opted out earlier.

Capacity

An agency must be sure an individual has the necessary capacity before it can rely on their consent. An individual has the capacity to consent if they are capable of understanding the nature of a consent decision, including the effect of giving or withholding consent, forming a view based on reasoned judgement and how to communicate a consent decision.

An agency can generally presume an individual has the capacity to consent unless there is something to alert it otherwise, for example, the individual is a child or young person (see below). If an agency has doubts about whether an individual has capacity to consent at a particular time, it should not rely on any statement of consent given by the individual at that time.

Issues that could affect an individual’s capacity to consent include:

• age
• physical or mental disability
• temporary incapacity, for example during a psychotic episode, a temporary psychiatric illness, or because the individual is unconscious, in severe distress or suffering dementia; or
• limited understanding of English or other languages available to the agency.

Agencies should consider whether capacity issues can be overcome by giving the individual support to enable them to have capacity to consent, such as using an interpreter or offering alternative communication methods.

If an individual does not have capacity to consent, even with support or the provision of additional resources, and consent is required, an entity should consider who can act on the individual’s behalf. Options include:

• a guardian
• someone with an enduring power of attorney
• a person recognised by a relevant law, eg section 5 of the Permitted General Health Situations in schedule 4 of the IP Act; or
• a person who has been nominated in writing by the individual while they were capable of giving consent.

If the individual has an authorised representative who is willing to consent on their behalf, the agency needs to satisfy itself that they have the necessary authority.

Children and young people

The IP Act does not specify an age at which individuals can make their own privacy decisions. Agencies will need to determine on a case-by-case basis whether an individual under the age of 18 has the capacity to consent.

As a general principle, an individual under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person, for example, if the child is young or lacks the maturity or understanding to do so themselves.

Voluntary

Consent is voluntary if an individual has a genuine opportunity to provide or withhold consent. Consent is not voluntary where there is duress, coercion or pressure that could overpower the person’s will.

Factors relevant to deciding whether consent is voluntary include:

• the alternatives open to the individual, if they choose not to consent
• the seriousness of any consequences if an individual refuses to consent; and
• any adverse consequences for family members or associates of the individual if the individual refuses to consent.

An agency cannot trick someone into consenting, require consent before allowing an individual to exercise a right, or threaten to sanction or penalise the individual if consent is not given.

Bundled consent

Where an agency asks an individual to consent to multiple unrelated uses or disclosures of their personal information, without giving the individual an opportunity to choose which of the uses and disclosures they consent to, the agency is bundling the consent.

Bundling must be avoided. If an agency wishes to ask an individual to consent to multiple uses or disclosures of their personal information, they should address each use or disclosure separately, so the individual can indicate which they consent to and which they do not. This approach will help ensure that agencies do not breach the QPPs.

Informed

For consent to be valid, it must be informed. When seeking consent, agencies should ensure the individual has enough information to understand:

• what personal information is to be collected, used or disclosed
• for what purpose or purposes
• who the information is being given to, any person or body they will pass it on to, and what use the recipient(s) will make of the information
• the consequences of consenting; and
• the consequences of refusing consent.

This should be communicated in plain language, without legal or industry jargon. Providing incorrect or misleading information to the individual, whether deliberately or inadvertently, may render the consent invalid.

Be specific

Broad, sweeping statements seeking consent, such as ‘I consent to the agency using or disclosing my personal information for any purpose’, are to be avoided because they do not give the individual a clear idea of what they are consenting to. If the purported consent is too broad then it may not be valid, and the agency may breach the IP Act if it relies on it.

The level of specificity required will depend on the circumstances and the sensitivity of the personal information. Generally, the more sensitive the information, or the more privacy-invasive the proposed use or disclosure, the narrower and more specific the consent must be. Relevant factors include:

• the nature of the personal information
• the proposed use or disclosure; and
• for disclosure, the identity of the recipient, including any privacy restrictions that apply to it and the recipient’s level of accountability.

Additionally, an agency should not seek a broader consent than is necessary for its purposes. It must have a clear understanding of what it needs to do with the personal information and phrase the consent accordingly.

Currency of consent

Consent does not generally last forever; consent given at a particular time in particular circumstances cannot be assumed to endure indefinitely.

When requesting consent, it is good practice to inform the individual of the period for which the consent will be relied on in the absence of a material change of circumstances. For example, if consent is being sought to use the information in a project, the individual should be told how long the project is expected to run.

An agency must be sure that consent is current before relying on it.

Revocation of consent

Agencies should tell individuals that they can withdraw their consent and how to do so, and must not create difficult or unnecessarily complex processes that might discourage people from doing so. They should advise of any consequences which will arise from its withdrawal.

Where an individual has consented to the agency disclosing their personal information to a third party, withdrawal after the disclosure has taken place will not have impact the actions already taken but will limit any future action. Withdrawal of consent does not require the agency to retrieve the information, as its disclosure was lawful at the time it occurred.

Impracticable or unreasonable to obtain consent

The impracticability of obtaining consent must not be confused with the undesirability of obtaining consent.  For example, it is not sufficient that, if consent were sought, refusal by some individuals would make the research project more difficult.

Not practicable does not mean difficult or undesirable. To be impracticable, it must be impossible, or extremely difficult, to seek consent. The fact that seeking consent is inconvenient or would involve expenditure of some effort or resources is not sufficient.

It may be impracticable or unreasonable to obtain consent where, for example:

• the situation is urgent
• the individual cannot be contacted, eg they are in a remote location with limited ability to receive communications; or
• the inconvenience, time and cost involved in obtaining consent. However, it is not unreasonable or impracticable to obtain consent just because it would be inconvenient, time-consuming or impose some cost. Whether those factors make it impracticable to obtain consent will depend on whether the burden is excessive in all the circumstances.

An order of a court or tribunal includes an order, direction, or other instrument (order) made by any Commonwealth, State or Territory court or tribunal, including a coroner or justice.

Use, disclosure, or collection will be required by the order if the agency has no option not to use, disclose or collect the information as set out in the order, eg a subpoena that requires the agency to provide information or produce records or documents.

Use, disclosure, or collection will be authorised under the order if:

• the order gives the agency permission to, but does not require it to, collect, use, or disclose personal information; or
• the agency has the option to not comply with the order.

Criminal offences are defined in the Criminal Code Act 1899 (Qld).  Criminal offences are also contained in other legislation, such as the Vegetation Management Act 1999 (Qld) or the Animal Care and Protection Act 2001 (Qld).

Schedule 5 of the IP Act defines de-identification as amending personal information so it is no longer about an identified individual or an individual who is reasonably identifiable. De-identification can be technically complex and often requires specialist advice.

There are many de-identification techniques that can protect privacy and ensure data is still useful for its intended purpose. Selecting an effective de-identification technique, or a combination of techniques, requires a sound understanding of the data itself. Direct identifiers in data are likely to be obvious such as name, address, driver licence number, telephone number.

However, data can also contain other unique values that, while not personal information on their own, can quickly identify an individual when linked with other available information.

De-identification is not just removing obvious personal information. Simply removing direct identifiers, like names and date of birth, is not always sufficient to adequately de-identify data and manage re-identification risk.

De-identification techniques include:

• Suppression—removing data that may identify individuals or which in combination with other information is reasonably likely to identify an individual.
• Rounding—grouping identifiers into categories or ranges. For example, age can be combined in ranges (25-35 years) rather than single years (27, 28). Extreme values can also be grouped in a range, such as an age value of ‘85+ years’.
• Perturbation—altering data that is likely to enable the identification of an individual in a small way, such that the aggregate information or information is not significantly affected but the original values cannot be known with certainty. For example, randomly adding or subtracting 1 to a person’s year of birth.
• Swapping—swapping information that is likely to enable the identification of an individual for one person with the information for another person with similar characteristics to hide the uniqueness of some information.
• Sampling—when large numbers of records are available, it may be adequate to release a sample of records. This can create uncertainty that a person is included in the sample.
• Generating synthetic information—mixing up the elements of a dataset–-or creating new values based on the original information—so the overall totals, values and patterns of the data are preserved but do not relate to any particular individual.
• Encryption or ‘hashing’ of identifiers—data is encrypted or obscured using a scheme that enables accurate analytics to be performed on it, while never revealing the encrypted raw data.

Agencies should seek expert advice to understand their data and determine the appropriate de-identification technique(s).

Section 23(1) of the IP Act provides that an agency discloses personal information if it gives personal information to a second entity or places it in a position to find it out and:

• the second entity does not already know it and is not in a position to find it out on their own; and
• the agency ceases to have control over who will know the personal information in the future.

The second entity does not know the personal information

To be a disclosure, the second entity must not already know the personal information or be in a position to find it out.

It is not sufficient to assume the second entity knows the personal information, or they are likely to be aware of it. Agencies must have evidence that the second entity actually knows the information before relying on that knowledge to decide giving it to them is not a disclosure.

For example:An agency officer phones Individual A to give them some information about their application for flood relief, but they're not home. Person B answers the phone and says the officer can tell them, because they “know all about it”. The officer has no verifiable evidence that Person B does, in fact, know all about it, which means they can't determine if giving the information to Person B would be a disclosure.

However, if the application had been jointly made by Individual A and Person B, the officer could be satisfied that Person B knew the personal information of Individual A, and so telling them would not be a disclosure.

And is not in a position to find it out

If the second entity does not know the personal information, agencies need to consider if they are in a position to be able to find it out.

It is not sufficient that the second entity can ask the individual for the information. There must be something in the relationship between the second entity and the personal information or the individual that means the second entity has the power to acquire it through other means.
However, if the second entity is in a position to acquire the information through other means, agencies should consider whether it is more appropriate for the second entity to acquire it in that other way.

Gives or places in a position to find out

To be a disclosure, the agency must give personal information to the second entity or place the second entity in a position to find it out.

An agency gives personal information to the second entity when it communicates it to them directly, for example by emailing it or providing it verbally over the phone.

An agency places the second entity in a position to find personal information out when the agency does something with the entity or the personal information that allows the entity to discover it, for example:

• the agency publishes personal information on its website
• the agency gives a third party access to a database of personal information; or
• the agency fails to properly secure its systems, which allows someone to access personal information.

Ceases to control who will know the personal information

Disclosure also requires that, once the second entity has the personal information or is in a position to find it out, the agency ceases to have control over who will know it in the future.

The agency ceases to have control if it has no right or power to determine or influence how the second entity will deal with the personal information. For example, the agency must not be able to:

• prevent the second entity from using the information
• prevent the second entity from giving it to any other entity
• require it to be stored or secured in a particular way; or
• require its return or destruction.

If the agency does have the power to control how the second entity handles or deals with the personal information, then giving it to the second entity is not a disclosure.

Schedule 5 of the IP Act defines enforcement-related activity as:

• the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions
• the enforcement of laws relating to the confiscation of the proceeds of crime
• the protection of the public revenue
• the prevention, detection, investigation or remedying of seriously improper conduct
• the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Enforcement encompasses the whole activity, from initial inquiries to the hearing of a matter in a court or presentation to a decision maker or non-judicial member. It also includes gathering intelligence to support the investigation function of enforcement bodies or providing information to the relevant enforcement body.

The function of an agency may be broadly defined under an Act and refined by Regulation, departmental or Council policy, Ministerial direction, government strategies or arrangements, or whole of government or whole of sector policies.

Identifying an agency’s functions requires a consideration of the instruments that confer, describe, or apply to the agency’s responsibilities and obligations. These can include:

• Acts and subordinate legislative instruments
• the Administrative Arrangements Orders
• government decisions or Ministerial statements that announce a new government function
• the agency’s Publication Scheme; and
• the agency’s Annual Report.

The activities of an agency will be related to its functions and include incidental and support activities, such as human resource, corporate administration, property management and public relations activities.

When considering whether something falls within a function or activity of the agency, one starting point is to ask: 'can the agency legitimately do this' or 'is this within the agency's mandate'. This includes not just the agency's outward facing mandates, ie the functions it carries out for the community, but its inward facing ones, ie the functions it carries out with regards to its staff.

A health agency is the Department of Health or a Hospital and Health Service (HHS).

Health information is included in the definition of sensitive information and is personal information about an individual that includes any of the following:

• the individual’s health at any time
• a disability of the individual at any time
• the individual’s expressed wishes about the future provision of health services to the individual
• a health service that has been provided, or that is to be provided, to the individual
• personal information about the individual collected for the purpose of providing, or in providing, a health service; or
• personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.

Personal information is held by a relevant entity, or the entity holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant entity.

Law enforcement agency is defined in schedule 5 of the IP Act. For the entire IP Act, a law enforcement agency is the Queensland Police Service under the Police Service Administration Act 1990, the Crime and Corruption Commission, the community safety department, or any other agency to the extent that it has responsibility for:

• the performance of functions or activities directed to the prevention, detection, investigation, prosecution or punishment of offences and other breaches of laws for which penalties or sanctions may be imposed
• the management of property seized or restrained under a law relating to the confiscation of the proceeds of crime
• the enforcement of a law, or of an order made under a law, relating to the confiscation of the proceeds of crime
• the execution or implementation of an order or decision made by a court or tribunal; or
• the protection of public revenue.

For QPP 6, a law enforcement agency also includes an enforcement body under the Privacy Act 1988 (Cth), which includes:

• the Australian Federal Police
• Customs
• any government body of the Commonwealth with responsibility for revenue protection or administering or performing a function under a law imposing penalties or sanctions; or
• any government body of a State or Territory (including Queensland) with responsibility for revenue protection or administering or performing a function under a law imposing penalties or sanctions.

If a law requires someone to pay a sum of money for breaching it, it is a law imposing a penalty.

A law imposes a sanction if it takes away a right or privilege or allows some disadvantaging action other than the imposition of a monetary penalty.  For example:

• removal or suspension of a licence or entitlement
• disciplinary action (such as suspension, a pay cut, or dismissal); or
• the withdrawal of a benefit.

Under QPP 3.4 an agency can collect sensitive information without consent, and under QPP 6.2(c) an agency can use or disclose personal information for a secondary purpose if a permitted general situation applies. The permitted general situations are listed in schedule 4, part 1 of the IP Act.

A health agency can, as per QPP 3.4(c) and QPP 6.2(d), collect, use or disclose health information for a permitted health situation. The permitted health situations are set out in schedule 4, part 2 of the IP Act.

Section 12 of the IP Act defines personal information for both the IP Act and the RTI Act, and states:

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Common examples include an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details, and commentary or opinions made by or about the individual. Generally, the presence of an individual’s name in a document is sufficient to make it personal information.

Does not include information about the deceased

Individual is not defined in the IP Act, but it is defined in the Acts Interpretation Act 1954 (Qld) as a natural person. This means that only living individuals can have personal information.

Information about a deceased person is no longer personal information for the deceased, but it may be the personal information of other, still living individuals. For example, coronial records often contain personal information about the deceased individual's family and friends, and health records may contain biological information about family, such as inheritable genetic conditions.

Whether true or not

The definition of personal information specifically provides that the information or opinion is not required to be true in order to be personal information.

Whether recorded in a material form

The definition of personal information also provides that information does not have to be recorded in a material form to be personal information. Personal information communicated verbally or by signals (for example, sign language) still attracts the QPPs, even if is never written down or recorded. However, some QPPs only apply if the information is held or collected by the agency.

For personal information that is recorded in a material form: material form is not limited to text in a document or electronic message. Personal information can be images, videos, sounds, or discoverable from a physical object, such as DNA in a blood sample.

Whether information is about an individual

For information to be personal information it must be about an individual who is or can be identified. Information is about an individual where these is a sufficient connection between the information and the individual.

Some information will obviously be about an individual, e.g., name, date of birth, medical records, financial records, bank details or salary.

Where information is not obviously about an individual, it is critical to consider the context surrounding the information, because Information that appears to be about something other than an individual, e.g., a car, boat, or piece of land, can also be about an individual.

For example, in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC (noting the question on appeal was limited to the statutory construction of the words ‘about an individual’ as they applied in the Privacy Act 1988 before 12 March 2014). in determining that metadata held by a company was not about an individual stated:

The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not “about an individual” it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual.”

Noting the decision does not mean that metadata, or data that can be linked with other data, can never be ‘about’ an individual.

The key question is: taking into account all the circumstances in which the information appears, is there a sufficient connection between the fact or opinion and the individual to reveal something about the individual.

The Commissioner considered whether information was about an individual in both Mahoney and Tomkins and Rockhampton Regional Council [2016] QICmr 2 (22 January 2016) (Tomkins), applying Mahoney.

In Mahoney, the Commissioner considered whether information directly and indirectly related to the applicant's land was personal information. The applicant submitted that the fact of her ownership provided a sufficient link between herself and the information to make it her personal information.

The Commissioner did not accept that information of significance to land owned by the applicant was necessarily the applicant's personal information. The Commissioner held that the information did not reveal a fact or opinion about the applicant and without more, there was insufficient connection between the information and the applicant to make it the information about the applicant. The information was about the applicant's land rather than the applicant and was not the applicant's personal information.

In Tomkins,the Commissioner considered whether photographs of dogs and interview recordings with a person attacked by specific dogs were about the individual dog owner. The recordings were about the victim’s account of the attack and her consideration of the dog photos. There was no information on the photographs that related to the dog owner, only handwritten numbers.

The Commissioner decided neither the recordings nor the photographs were about the dog owner because neither revealed a fact or opinion about the dog owner nor was there a sufficient link or connection between the information in the recording or photographs and the dog owner.

Whether the individual can be reasonably identified

For information to be personal information it must be about an individual who is or can be identified. Whether an individual is identified or can be identified will depend on the circumstances and nature of the information.

The individual is identified

An individual will be identified from information where they can be identified from the information itself, without referring to any other information. For example:

• where the information includes the person's name
• where the information includes the person's photograph, where they can be clearly seen in the photograph; or
• where the information is so unique that it cannot be about anyone else, for example, if the information says it is about 'the woman who was Queen of England in 2008'.

The individual is reasonably identifiable

While the term ‘apparent’ requires that the individual can be identified from the information itself, reasonably identifiable allows for the information to be compared or cross-referenced with other information to identify the individual in question.

When determining if identity is reasonably identifiable, the only relevant question is whether identity could be ascertained, not whether someone actually intends to do so.

How far the comparison or cross-referencing can go and still be considered reasonable will depend on the circumstances. Where it is technically possible to identify an individual but doing so is so impractical there is almost no chance of it occurring, or the steps required to do so are excessively time-consuming or costly, the individual's identity would not generally be regarded as reasonably identifiable.

Relevant factors include:

• The availability of the secondary material: is it readily available to all or can it only be obtained by a limited class of persons? Most entities and individuals would encounter difficulty in using a licence plate number to identify the registered owner of a car, as they would not have access to the car registration database. By contrast, an agency or individual with access to that database may be able to identify the owner. Accordingly, the licence plate number may be ‘personal information’ held by that agency or individual but may not be personal information if held by another entity.
• The number of steps required to be taken to determine the individual’s identity: will it involve referencing a single source of secondary information, or will it involve a chain of linkages?  The more steps involved the less likely that the likelihood of identification will be considered reasonable.
• The level of certainty of the identification: will the linkage between the information and the secondary source allow a single individual to be identified, or will it narrow it only to one of a class of individuals?
• The ability of the person receiving or collecting the information to use it to identify an individual:  For example, information that an unnamed person with a certain medical condition lives in a specific postcode may not enable the individual to be identified, and consequently not be personal information. However, if it is held or received by an agency or individual with specific knowledge that could link an identifiable individual to the medical condition and postcode, it will be personal information.
• The uniqueness of the information: For example, a common surname shared by many people may not be enough on its own to reasonably identify a particular individual. However, if the surname is unique, or the common surname is combined with other information, such as address or other contact information, the identity of the individual may be reasonably identifiable, making the information personal information.

For information publicly released, e.g., published on an agency website, whether a reasonable member of the public who accesses that information could identify the individual.

The Macquarie Dictionary defines ‘practicable’ as ‘capable of being done’ especially with the available means or with reason or prudence i.e. it is feasible to be done. Whether something is practicable or not will be determined having regard to all the circumstances.

It is not sufficient to consider something not practicable simply because it is inconvenient, difficult, or will increase costs. While these factors, and the severity of them can be relevant when determining if something is or is not practicable, the fact that a practice is made slightly more onerous is not enough.

When would something be ‘impracticable’?

Some of the factors that could make an action impracticable are where meeting the standard or principles would:

• increase costs to an unworkable extent, such that a project or action in the public interest could not be undertaken – if the project or action will primarily or only benefit an agency, this may not be a valid consideration
• render a legitimate and lawful action pointless, such as provision of a collection notice when collecting information covertly as part of a law enforcement investigation
• make a legitimate action in the public interest extremely difficult or impossible
• endanger the health or safety of an individual, or an investigation into a breach of the law
• be contrary to the public interest.

The primary purpose is the reason why personal information was collected by an agency. An agency must have a purpose for collecting personal information; it cannot be collected for the sake of having it or against a possible future need. There must be a clearly defined reason for its collection linked to the agencies functions.

The purpose of collection will need to be articulated to meet the obligations in QPP 3 and QPP 5, and to assess whether unsolicited personal information could have been collected under QPP 4. A purpose which is too broad, or which is not sufficiently defined, may not be a legitimate purpose under those privacy principles.

The purpose for which personal information is to be collected should be specifically defined before the agency begins to collect it.

For an agency, the privacy principle requirements are the requirement in chapters 2 and 3 of the IP Act that apply to the agency.

For a bound contracted service provider, the privacy principle requirements are requirements under chapter 2, parts 1 and 2 and section 41 applying to the service provider under section 36(1).

The privacy principle requirements do not apply to the documents listed in schedule 1 of the IP Act.

Laws relating to confiscation of the proceeds of crime enable the proceeds, benefits and property derived from criminal activity to be traced and provide for the forfeiture of property used in connection with the commission of criminal offences.

There are two confiscation schemes in Queensland:

• Conviction based confiscation: administered by the Office of the Director of Public Prosecutions. This occurs when a direct link can be established between a crime of which someone has been convicted and an asset.
• Confiscation without conviction (civil confiscation):  this is administered by the Crime and Corruption Commission under the Criminal Proceeds Confiscation Act 2002 (Qld) and allows property to be restrained on the basis of reasonable suspicion of serious crime-related activity.

Publish means to issue, or cause to be issued, in print or digital formats, for sale or distribution to the public, as a book, ebook, blog, periodical, images, sheet music, sound recordings, or the like, or to make publicly or generally known.

For section 28 of the IP Act, publish means publish the information by way of television, newspaper, radio, internet or other form of communication.

Reasonableness requires a balanced and objective view to be brought to the question, one that looks beyond simply the agency’s interests. A fair, proper, and moderate approach must be taken, to ensure that all relevant factors are considered and properly balanced.

Determining what is reasonable will depend on many factors, including the agency, its responsibilities, the personal information in question, the public interest in the proposed action, and any other relevant circumstances.  Generally, the practical difficulty or cost will not make something unreasonable.

The reasonable steps an agency must take to meet an IP Act obligations will depend on the circumstances, for example:

• The amount and sensitivity of the personal information being dealt with. Generally, as the amount and/or sensitivity of personal information increases, so do the steps it is reasonable for an agency to take.
• The possible adverse consequences for an individual if an obligation is not met. More rigorous steps may be required as the risk of adversity increases.
• The practical implications of implementing the obligations, including time and cost involved. However, the fact that it would be inconvenient, time-consuming or impose some cost is not enough to make the steps unreasonable. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances.

The phrase ‘reasonably believes’ imposes an objective test, having regard to how a reasonable person, properly informed, would be expected to act in the circumstances. An agency must have a reasonable basis for the belief, and not merely a genuine or subjective belief. An agency will be responsible for establishing it holds a reasonable belief.

Whether something is reasonably necessary is an objective test: would a reasonable person who is properly informed agree that the collection, use or disclosure is necessary. The onus lies with the agency to justify that the particular collection, use or disclosure was reasonably necessary.

This requires the agency to consider whether the collection, use or disclosure will actually assist in achieving the purpose. Generally the agency must:

• be satisfied that there is a link between the proposed collection, use or disclosure and the purpose; and
• establish that the link is sufficient to make the collection, use or disclosure of information reasonably necessary.

It need not be essential or critical to the activity, but it must be more than just helpful or expedient.

It is important to take a practical approach when making this determination. If an agency cannot in practice effectively pursue or perform a function without collecting, using or disclosing information, collection, use or disclosure will generally be considered reasonably necessary for that function or activity.

However, if there are reasonable alternatives available, for example, if deidentified information would be sufficient for the function or activity, it will be more difficult to establish.

Agencies cannot solely rely on normal business practice in assessing whether collection, use or disclosure is reasonably necessary. The primary consideration is whether, in the specific circumstances, the collection, use or disclosure is reasonably necessary.

Re-identification happens when someone is able to identify who purportedly de-identified data is about. It often occurs when de-identified data is combined with other available information to reveal an identifiable individual.

A re-identification event may breach the IP Act and disclose personal information about individuals. It also has the potential to undermine public trust in government and discourage other agencies from sharing information.

Sources of information that could lead to a re-identification event include:

• other public datasets and information, including social media
• non-public datasets, for example, a business’s customer database; and
• personally observed information, for example, overhearing a conversation or witnessing an event.

Re-identification can also occur without auxiliary information due to, for example:

• Inadequate de-identification, with identifying information inadvertently left in the data.
• Pseudonym reversal, eg where an algorithm with a key is used to assign pseudonyms, it can be possible to use the key to reverse the pseudonymisation process to reveal identities.
• Inferential disclosure, when personal information can be inferred with a high degree of confidence from statistical attributes of the data.

Collection, use or disclosure is required under an Australian law where:

• the law in question specifically requires collection of the information, or requires the agency holding the information to use it or disclose it for the secondary purpose – ie, where the agency cannot choose to act differently; and
• the law gives a third party the power to compel the production of information from the agency and the agency complies.

It will be authorised under a law where the collection, use or disclosure is permitted but not required. The law must clearly and expressly give the holding agency the discretion to collect, use or disclose the personal information for that purpose.

It is not sufficient that the action is within the agency’s lawful functions. It must be able to point to a specific law that permits the use or disclosure.

A general or incidental power granting an agency the power to ‘do anything necessary’ or ‘do anything else in connection with’ will not be sufficient. The power or law must use clear and direct language.

The public revenue includes levies, taxes, rates and royalties charged on a regular basis. It does not include occasional charges, such as fines, or the recovery of the occasional overpayment by an agency.

Protection of the public revenue includes the activities of agencies and bodies intended to ensure that lawful obligations are met by those subject to the charges, such as routine collection, audits, investigatory and debt recovery actions.  Prosecution for failure to pay the charge would fall under the criminal law exception.

It does not include activities intended to identify and eliminate inefficient but lawful spending of public money.

Personal information includes sensitive information, which is a specific category of personal information defined in schedule 5 IP Act. Sensitive information is information or an opinion about an individual’s:

• racial or ethnic origin
• political opinions
• membership of a political association
• religious beliefs or affiliations
• philosophical beliefs
• membership of a professional or trade association
• membership of a trade union
• sexual orientation or practices
• criminal record
• health information
• genetic information that is not otherwise health information
• biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
• biometric templates.

QPP 3 and QPP 6 contain specific rules for the collection, use and disclosure of sensitive information.

Seriously improper conduct refers to serious breaches of standards of conduct associated with a person’s duties, and includes:

• corruption, abuse of power, or dereliction of duty
• breach of obligations that would warrant the taking of enforcement action against the person; or
• any other seriously reprehensible behaviour.

In the Queensland public service, seriously improper conduct can be identified by reference to:

• official misconduct under the Crime and Corruption Act 2001 (Qld)
• misconduct under the Police Service Administration Act 1990 (Qld) or the Public Sector Act 2022 (Qld)
• other conduct under chapter 2, part 8 of the Public Sector Act 2022 (Qld) where it is serious and improper
• a breach of the Public Sector Ethics Act 1994 (Qld) or of a Code of Conduct under that Act; or
• a criminal offence.

Misconduct of this type may also be set out in specific statutes applying only to certain agencies.

Section 23(2) of the IP Act provides that an agency uses personal information if it:

• manipulates, searches, or otherwise deals with the personal information; or
• takes the information into account in the making of a decision; or
• transfers the information from a part of the entity having particular functions to a part of the entity having different functions.

However, as set out in 23(3), this is not an exhaustive list. There are very few actions an agency can take in relation to personal information that will not be a use.

One significant exception is disclosure. Under 23(4), a use can never be a disclosure.