The Information Privacy Principles (IPPs) place strict obligations on an agency1 when it collects, stores, uses and discloses personal information. However, some exemptions can apply to certain agencies when dealing with particular personal information. The IPPs are set out in schedule 3 of the Information Privacy Act 2009 (Qld) (IP Act).
An agency may request personal information from an individual or from a third party provided the following criteria are met:
Agencies are required to provide notice, including the specific purpose for using the information, when collecting an individual's personal information. This is commonly known as a collection notice, and can be provided in writing as well as verbally. Although an agency has to take all reasonable steps to provide a collection notice prior to collecting personal information, in certain circumstances this will not be possible.
The relevance of personal information collected is an important consideration significant to IPP 3. It is the agency’s responsibility to identify the specific purpose of why such personal information relates to the functions of the agency, and to ensure that the collection method only captures the relevant personal information requested.
Personal information must not be collected for purposes which do not relate to the functions of the agency.
For further information on IPPs 1 to 3, please see the Basic guide to IPPs 1 to 3 – Collection.
Under IPP 4, agencies must ensure that documents containing personal information are protected from:
The level of storage and security will depend upon the nature of the personal information in the document and the risk of a security breach occurring. If a document contains extremely sensitive information, such as health or criminal records, an agency should take maximum care in protecting the information.
Agencies must also ensure that if it is necessary to disclose a document to a third party, all reasonable steps are taken to prevent unauthorised use or disclosure by that third party.
For further information on IPP 4, please see the Basic guide to IPP 4 – Storage and Security.
IPP 5 requires agencies to disclose to the public the general types of information they hold, for what particular purpose, and how the information is proposed to be used.
There are two separate ways an individual may request to access their personal information as stated under IPP 6:
IPP 7 relates to the amendment of personal information held by agencies, and requires an agency to take all reasonable steps to assure the quality and accuracy of personal information prior to using it. Similar to accessing personal information, there are two separate ways of amending personal information:
For further information on IPPs 5 to 7, please see the Basic guide to IPPs 5 to 7 – Access and amendment.
IPP 10 provides that personal information must not be used for a purpose other than the particular purpose for which it was obtained, unless certain exceptions apply. IPP 11 provides that personal information must not be disclosed to a third party, unless certain exceptions apply.
Some of the exceptions include, for example:
Keep in mind when using personal information that:
For further information on IPPs 8 to 11, please see the Basic guide to IPPs 8 to 11 – Use and disclosure.
Current as at: January 10, 2012