Overview of the Information Privacy Principles

The Information Privacy Principles (IPPs) place strict obligations on an agency1 when it collects, stores, uses and discloses personal information. However, some exemptions can apply to certain agencies when dealing with particular personal information. The IPPs are set out in schedule 3 of the Information Privacy Act 2009 (Qld) (IP Act).

Collection

An agency may request personal information from an individual or from a third party provided the following criteria are met:

  • the agency must only ask for the specific personal information required to fulfil the lawful purpose that is directly related to the function of the agency2
  • if the information is collected directly from an individual, the agency must tell the individual what the information is going to be used for before, or at the point of collection where possible; if not possible – as soon as practicable after the information is collected3; and
  • the agency must not collect information by unlawful or unfair means, including by trickery, deception or misleading conduct.4

Agencies are required to provide notice, including the specific purpose for using the information, when collecting an individual's personal information. This is commonly known as a collection notice, and can be provided in writing as well as verbally. Although an agency has to take all reasonable steps to provide a collection notice prior to collecting personal information, in certain circumstances this will not be possible.

The relevance of personal information collected is an important consideration significant to IPP 3. It is the agency’s responsibility to identify the specific purpose of why such personal information relates to the functions of the agency, and to ensure that the collection method only captures the relevant personal information requested.

Personal information must not be collected for purposes which do not relate to the functions of the agency.

For further information on IPPs 1 to 3, please see the Basic guide to IPPs 1 to 3 – Collection.

Storage and security

Under IPP 4, agencies must ensure that documents containing personal information are protected from:

  • loss
  • unauthorised access, use, modification or disclosure; and
  • any other misuse.

The level of storage and security will depend upon the nature of the personal information in the document and the risk of a security breach occurring. If a document contains extremely sensitive information, such as health or criminal records, an agency should take maximum care in protecting the information.

Agencies must also ensure that if it is necessary to disclose a document to a third party, all reasonable steps are taken to prevent unauthorised use or disclosure by that third party.

For further information on IPP 4, please see the Basic guide to IPP 4 – Storage and Security.

Access and amendment

IPP 5 requires agencies to disclose to the public the general types of information they hold, for what particular purpose, and how the information is proposed to be used.

There are two separate ways an individual may request to access their personal information as stated under IPP 6:

  • through chapter 3 of the IP Act; or
  • through IPP 6.

IPP 7 relates to the amendment of personal information held by agencies, and requires an agency to take all reasonable steps to assure the quality and accuracy of personal information prior to using it. Similar to accessing personal information, there are two separate ways of amending personal information:

  • through chapter 3 of the IP Act; or
  • through IPP 7.

For further information on IPPs 5 to 7, please see the Basic guide to IPPs 5 to 7 – Access and amendment.

Use and disclosure

IPP 10 provides that personal information must not be used for a purpose other than the particular purpose for which it was obtained, unless certain exceptions apply. IPP 11 provides that personal information must not be disclosed to a third party, unless certain exceptions apply.

Some of the exceptions include, for example:

  • where the individual has expressly or impliedly agreed to the use/disclosure
  • where the use/disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare
  • where the use/disclosure is required or authorised under law or necessary for law enforcement purposes; and
  • where the use/disclosure is necessary for research or statistical purposes.

Keep in mind when using personal information that:

  • before an agency can use personal information, it must take reasonable steps to ensure that the information is accurate, complete and up to date (IPP 8); and
  • when an agency proposes to use a document containing personal information for a particular purpose, the agency must only use those parts of the personal information which are directly relevant to fulfilling that particular purpose (IPP 9).

For further information on IPPs 8 to 11, please see the Basic guide to IPPs 8 to 11 – Use and disclosure.

  • 1 In this Guideline references to an 'agency' also include Ministers and bound contracted service providers, unless otherwise specified. [up]
  • 2 As outlined in IPP 1. [up]
  • 3 As outlined in IPP 2. [up]
  • 4 As required by IPP 1(2). [up]

Current as at: January 10, 2012