Privacy in government processes

In the State government, Administrative Arrangements Orders allocate the principal responsibilities of each Minister.  These responsibilities can be re-allocated, new agencies can be created, and old agencies disbanded.

These changes are called Machinery of Government changes (MoG changes) and will be reflected in new or amended Administrative Arrangements Orders.

MOG changes will generally involve the transfer of responsibilities and their records to or from agencies. The personal information in those records must be handled in compliance with the privacy principles.

Use and disclosure

Preparing records containing personal information for transfer to another agency is a use of the personal information. 

Transferring records containing personal information to another agency will generally be a disclosure.

Both of these must comply with the privacy principles.

The Administrative Arrangements Orders are made under section 44 of the Constitution of Queensland 2001. Queensland Privacy Principle 6 (QPP 6) allows personal information to be used or disclosed where it is authorised or required by law.

Because the Administrative Arrangements Orders are a law for the purposes of the privacy principles, any actions necessary to implement them will be authorised or required by law.

Once the new agency is in possession of the transferred records, it must deal with them in accordance with the relevant privacy principles.

Members of Parliament (MPs) often receive requests for help in dealing with agencies from their constituents. As part of helping their constituent, the MP will often contact the agency for more information or to assist in resolving an issue.

Can the agency discuss the situation with the MP?

If the agency talks to the MP about the constituent it will (in most cases) be disclosing personal information. Agencies are only allowed to disclose personal information in accordance with Queensland Privacy Principle 6 (QPP 6).

QPP 6 permits agencies to disclose personal information where the individual to whom the information relates has consented to the disclosure. This consent may be:

• express (the individual told the agency they could disclose information), or
• implied (it is obvious that the individual agrees to the information being disclosed).

As a general rule, agencies should be cautious about relying on implied consent because it requires the agency to make a judgement call about what an individual intends. However, while it is reasonable for an agency to rely on implied consent when an MP contacts an agency in response to a request from the constituent, the agency may also wish to be provided with a copy of the constituent’s request.

In some circumstances a document signed by the constituent may expedite requests for information; an example document is below.

Agencies and MPs should be aware that an individual’s agreement cannot override any law which prohibits the disclosure of information, for example the Hospital and Health Boards Act 2011 or the Child Protection Act 1999.

Identity of the constituent

An agency must be satisfied that the constituent is who they say they are before giving their personal information to the MP. The agency may rely on the MP’s knowledge of the constituent or they may take independent steps to verify the identity of the constituent, for example by checking the personal information held in the agency’s records against the information provided by the MP.

In cases where the constituent is unknown to the MP the agency will need to undertake a formal verification process before the personal information is disclosed. While there is no obligation on MPs to verify a constituent’s identity, electoral office staff may take practical steps to verify that an unknown person is on the electoral roll for that district or carry out some kind of identification check in order to minimise delays in obtaining personal information from agencies.

It is the responsibility of the agency, not the MP or their electoral staff, to verify the identity of the constituent, but the sample constituent consent form (below) may help establish this.

Limitation of the agreement

The constituent’s agreement for the agency to disclose information extends only to the issue about which they contacted their MP; personal information given to the MP must be relevant to the constituent’s particular issue.

If the constituent contacted the MP in writing, providing a copy to the agency will help the agency identify the scope of the implied agreement. If the constituent’s contact with the MP was verbal, the scope of the implied agreement will be as set out in the MP’s contact with the agency.

Personal information of third parties

An agency must not disclose the personal information of third parties when it provides information to the MP. The authority to disclose extends only to the personal information of the constituent who has contacted the MP. For example, if a sister contacts her MP complaining that her brother has been refused a driver’s licence, the agency cannot give the MP information about the brother unless the brother agrees.

Sample constituent consent

CONSENT TO DISCLOSE PERSONAL INFORMATION

I, [name of constituent] consent to the [name of agency] disclosing my personal information to the Honourable [name of MP], Member for [name of electorate] for the purposes of responding to [name of MP]’s inquiry on my behalf concerning [subject matter of inquiry].

…………………………………..……            ………………………………………

Signature          Date

Electoral Office use only

The person above:

• is known to the staff of the electoral office
• has verified their identity through a government-issued identity card (eg drivers license, social security card)/has verified their identity through alternate means/has not verified their identity [cross out whichever does not apply]
  

……………………………………..…            ………………………………………

Signature of MP or electoral officer Date

Queensland government agencies often conduct workplace surveys of some or all of their staff. They generally relate to topics such as staff satisfaction, workplace concerns, perceptions of their work, feedback on supervisors and/or other agency issues.

If agencies outsource the workplace survey to a contractor, the agency must take reasonable steps to bind the contractor to comply with the privacy principles. A failure to do so will make the agency liable for any privacy breach by the contractor.

Anonymous surveys

Workplace surveys are often conducted anonymously. However, even where surveys are designed to be anonymous there can be factors that can allow survey participants to be identified. These include the size of the agency or the community, questions that relate to unique characteristics of the participants, and the use of free text fields.

Size of the agency

Where an agency is large, eg a department with several thousand staff, the pool of participants will generally be large enough to obfuscate individual identities when dealing with generic responses. However, if the agency is small, eg a statutory body with 50 staff, individual staff members may be identifiable from even generic answers to questions, even on an anonymous survey.

Unique participants

For staff with unique characteristics that are the subject of survey questions, the recording of the characteristic could effectively de-anonymise the survey for those staff. The smaller the agency, the more likely this is to occur, but it can happen even in large departments.  For example, if the survey records the position held by the participant and this position is relatively unique, eg the Director-General, that participant will be readily identifiable.

Free text fields

Free text fields have the potential to enable the identification of both participants and other individuals in an otherwise anonymous survey, for example if a staff member writes the following: I am the Manager of the agency’s ICT Procurement Unit. I have concerns that the Principal Procurement Officer, James Brown, has taken shortcut with his assessment of due diligence for new ICT contracts.

In some instances, the writing style of an individual when entering responses in a free text field can provide sufficient context to identify the writer.

When preparing surveys, agencies should carefully consider whether a free text field is necessary.

Controlling free text fields

Adding a statement to free text fields that specifically asks participants not to include any personal information, of themselves or other people, may assist in keeping the survey anonymous. Agencies may want to consider advising participants that personal information is provided in the free text field:

• that it must be limited to their own information,
• that they do so voluntarily
• what it will be used for; and
• if it will be given to other parties.

Advising staff who are completing the survey

When collecting personal information, agencies must provide the individual with specific information. These include why the information is being collected and anyone it will be disclosed to. If the survey is being collected under a law, details of that law must also be included in the notice.

Where a survey is not anonymous, agencies must include a collection notice. Where it is intended to be anonymous but there is a reasonable chance that it could identify the staff member completing it despite the agency's intent, agencies should consider including a collection notice.

Confidentiality

Agencies often want to tell participants that the survey, its results, and/or any reports or documents produced from those results will be confidential. Confidentiality can be a complex area of the law that requires specific factors to be satisfied before it will apply. As such, care should be taken before giving assurances of confidentiality and agencies may wish to seek legal advice first.

Surveys for a purpose

Every workplace survey should be conducted for a purpose relevant to the agency's needs and functions. The questions asked should only collect information that relates to why the survey is being conducted.

QPP 3 provides that there are specific rules for the collection of sensitive personal information. Where questions collect sensitive information, particularly information related to EEO data, gender, sexuality and domestic violence, agencies should consider making the questions optional—particularly where the pool of participants is small and the answer might identify the person completing the survey.

As noted above, use of free text fields can risk collecting personal information that may not be required. Generally, using free text fields should only be done where there is a demonstrated need. Automatically including a free text field in every survey can result in collecting information for which the agency has no need, or in de-anonymising a survey which was intended to be anonymous.

Before adding a free text field, agencies should consider if they can elicit the desired information through specific questions.

De-identified information

Agencies may want to consider whether they can achieve desired outcomes using de-identified information. For example, where dealing with identifiable answers to surveys or personal information provided in free text fields that raise issues of concern, identifying specific staff members may not be necessary. Agencies should consider whether they can communicate and/or address the concerns in a more general way that captures the core or theme of the concern, without singling out the staff member or members who raised them.

Distributing the survey

Two common methods of distributing a survey are:

• promote its availability through established communication channels, such as the agency’s website or social media accounts; and
• use contact information (for example, email addresses) held by the agency to directly distribute the survey.

Under QPP 6, personal information can be used or disclosed for the primary purpose, for a directly related secondary purpose the individual would expect, or for any of the other circumstances set out in QPP 6.

Whether an agency can use existing contact information to distribute a survey depends on why the contact details were initially collected, ie the primary purpose of collection of those contact details. Examining information provided to the individual when their information was collected can assist in determining whether the survey is part of the primary purpose.

Sometimes an apparent secondary purpose will actually be part of the primary purpose. For example, conducting a trial of a product would entail collecting feedback on the product; the feedback is an integral part of the conduct of the trial and so it is part of the primary purpose.

If an agency provides a service to an individual and it obtains and uses a contact email to deliver that service, contacting the individual to obtain feedback on the service will generally be a directly related and expected secondary purpose.

Online survey tools

Section 33 of the IP Act states that an agency cannot disclose personal information outside Australia unless certain conditions are met.

Many popular online survey tools, such as SurveyMonkey and Google Forms, are provided by companies that are located overseas and/or use servers located outside Australia to store survey responses.

Also, if the agency intends to publish respondents’ survey responses online, for example, on a website or social media site, any personal information in the survey responses will potentially be disclosed outside Australia.

Section 33 sets out four circumstances in which an agency can disclose personal information out of Australia. The most likely to apply to conducting a survey are:

• where the individual the subject of the information consents to the disclosure; or
• where the recipient of information is subject to privacy obligations equivalent to the IP Act.

If a survey is voluntary, an agency can obtain the individual's consent by including a statement that completion means they consent to disclosure overseas at the commencement of the survey.

Reading terms and conditions

Before using an online survey tool, an agency should take reasonable steps to satisfy itself that the company which offers the tool will handle personal information appropriately.

Terms and conditions are not always easy to read as they can be long-winded, technically complex, or overly legalistic. However, if you know what to look for, you can easily get the information you are interested in. Here are a few pointers:

• Find the right section. While contract terms and conditions can be long, the ‘privacy’ section is usually only a few paragraphs and is often clearly titled with variations of ‘What personal information we collect’, ‘What we use it for?’, ‘Who we give it to’ and ‘How we protect your information’.
• How is the personal information going to be used? Check whether personal information will be used for other purposes. If additional uses are intended, look at whether there is an option to choose not to receive these services – such as an opt-out option.
• Will the personal information be given to someone else? Find out whether the personal information be shared with third parties and if so, for what purpose? Does the company use sub-contractors?
• How will the personal information be protected? Look for a description of the security measures that will be used to keep your personal information safe.

While the privacy issues may be generally applicable, this section specifically discusses the privacy impacts of public sector recruitment by Queensland government departments and agencies that have been declared public service offices under the Public Sector Act 2022. These will be collectively referred to as departments.

The Directives and rules this guideline discusses do not apply to local governments, universities, or public authorities not listed in the PS Regulation.

The below does not deal with department-specific legislation or employment-specific screening processes such as criminal history checks or Blue Card requirements.

Contracting out recruitment processes

If a department engages a private-sector contractor for any part of the recruitment process and recruitment material will pass between the department, the contractor and/or the applicants, the department must take reasonable steps to bind the contractor to comply with the privacy principles.

Recruitment material

Under QPP 5, when a department collects information from an individual it must tell them why it is being collected, any authority for its collection, and anyone it is the department’s usual practice to give it to. This can take the form of a notice included in recruitment material.

Only relevant personal information must be collected. Before preparing recruitment material, the drafter must understand what qualifications, experiences, skills and capacities the position requires. This will ensure recruitment material will not request irrelevant personal information from applicants.

If a position has mandatory qualifications or requirements, the recruitment material should make this clear. If a qualification or requirement is not required but is desirable, this distinction should also be made clear.

However, if qualifications or requirements are neither mandatory nor desirable, requesting information about them could result in the department collecting irrelevant personal information in breach of the privacy principles.

Employment screening

Any employment screening the position requires must be explained in the recruitment material, including any conditions that apply—for example,  that the position requires a criminal history check to which the prospective employee must consent.

Equal Employment Opportunity material

As part of meeting their Equal Employment Opportunity (EEO) obligations departments may ask applicants about EEO personal information. When doing so, it must be clear to applicants that providing this information is voluntary.

Reasonable adjustment requirements

Some applicants may need reasonable adjustments for interviews and/or aptitude tests. There is generally no need to ask about this at the initial stage, prior to selection of candidates for interviews or aptitude tests, because not every applicant will make it to those stages. Requesting this information before the department knows it will be required could lead to an unnecessary collection of personal information.

Unsolicited information

Applicants sometimes include irrelevant material in their application, such as personal interests or hobbies. Unsolicited personal information must be handled in accordance with QPP 4.

Dealing with application material

Under QPP 11, departments must protect the personal information they collect and hold against loss, misuse, and unauthorised access, use, modification and disclosure.

Applications and supporting documentation contain extensive amounts of personal information, such as education, referee, and contact details. Information concerning a person’s current employment and employment history is also their personal information. Access should be limited only to those involved in the process and applications must be stored securely and protected.

Distribution to panel members

Where the recruitment process is conducted wholly within the recruiting department, or the recruiting department retains control of material provided to people outside the department, distribution of applications among panel members will be part of the use for which the personal information was collected.

All panel members must store application material securely and not discuss it with anyone outside the panel. Application material must be returned to the panel chair or securely destroyed at the end of the recruitment process.

Assessment and shortlisting

Only relevant personal information can be used in the recruitment process. What constitutes relevancy should be decided based on the requirements of the advertised position.

Interviews and selection

The fact that an individual has applied for a position is their personal information. If a panel member calls an applicant and they are not available, they need to limit what they say. No assumption should be made that the person answering the phone knows about the applicant's application, even when the person is a close family member or spouse.

Conducting the interview

Interviewers must be careful not to ask for personal information not relevant to the position being applied for, even during casual conversation with the applicant. It could result in the department collecting irrelevant personal information in breach of the privacy principles. Additionally, the applicant may feel compelled to answer even conversational questions or think their answers will impact the panel’s assessment.

Referee reports

As part of the application material, applicants are generally required to provide details of at least one referee. Applicants are required to obtain a referee’s agreement to being consulted in a selection process, so the panel’s subsequent contact of the referee will not inappropriately disclose that the applicant has applied for the position. However, this only applies to the applicant’s nominated referees. Disclosure of the information to anyone else could be a breach of the privacy principles.

If the panel is unable to contact the referee, or if the referee is not able to provide meaningful comment on the applicant’s skills and experiences, the panel cannot opt to contact someone else. They must contact the applicant and ask them to nominate another referee and obtain the new referee’s agreement to be a referee before giving their details to the panel.

A referee report is the referee's opinion of the applicant, which is the referee’s personal information. This means the department must give comply with QPP 5 when collecting it, eg by providing a collection notice, although it can be verbal.

The collection notice does not need to be complex or overly formal. However, it must include that the panel is obligated to disclose any adverse comments about the applicant to the applicant so that they can respond.

Panel recommendation

In most cases, the panel members are not authorised officers or delegates with the authority to appoint the preferred applicant. They will generally be limited to preparing a statement on the shortlisted applicants, identifying the preferred applicant they recommend for appointment with reasons for their choice. The authorised officer or delegate will then review the recommendations and decide whether to approve the appointment.

The panel’s report should include only personal information about the applicants which is relevant to the decision to appoint an applicant to the position. What is considered relevant information will depend on the facts and circumstances of each matter.

Appointment

When the successful applicant is offered the position they should be told that their appointment may be announced in the Government Gazette. Because this disclosure is required by law it is not a breach of the privacy principles.

Records transfer

If the applicant was a public service officer in a department prior to being appointed, the Public Service Regulation requires that their employee record is transferred to their new department. Because this is required by law, it is not a breach of the privacy principles.

In Queensland, Ministers are responsible to Parliament and Parliament can require them to explain their Ministerial actions, or the actions of their departments. This is often done through Questions on Notice. The Standing Orders of the Legislative Assembly (Standing Orders) sets out the rules for Questions on Notice.

Legal effect of Standing Orders

Standing Orders are subordinate legislation that bind the members of the Legislative Assembly (the Assembly), and a Minister who refuses to answer a Question on Notice or provides a deliberately misleading answer can be found in contempt of the Assembly.

Content of and answers to Questions on Notice

There are restrictions on the content of Questions on Notice (the Question). Unless strictly necessary to render the question intelligible, and unless they can be authenticated, they must not include people’s names.

The Standing Orders require that the answer be relevant to the Question. As such if it was necessary for the Question to contain names, a relevant answer may also include names or other personal information. Where the Minister’s answer to the Question requires the disclosure of personal information, the disclosure by the Minister is authorised or required by law.

A Department will usually prepare the answer and any additional advice and provide it to the Minister, who will in turn provide the answer to the Assembly.

Disclosure to the Minister

Because the Department is not bound by the Standing Orders, it cannot rely on them to disclose personal information to the Minister. Section 38 of the IP Act, however, permits an agency to give necessary personal information to a Minister for the purposes of the Minister’s responsibilities in relation to that agency. This includes the preparation of, and briefing on background matters related to, Questions on Notice.