All agencies – Personal information access and openness obligations

Health agencies¹ are required to comply with the National Privacy Principles (NPPs), and all other agencies² with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).

IPP 5 and NPP 5 require agencies to ensure people are able to find out about the kinds of personal information³ the agency holds. Under IPP 6 and NPP 6, individuals must be able to access their personal information, subject to some limitations.

The privacy principles

IPP 5 - Openness

(1)       An agency having control of documents containing personal information must take all reasonable steps to ensure that a person can find out—

(a) whether the agency has control of any documents containing personal information; and

(b) the type of personal information contained in the documents; and

(c) the main purposes for which personal information included in the documents is used; and

(d) what an individual should do to obtain access to a document containing personal information about the individual.

(2) An agency is not required to give a person information under subsection (1) if, under an access law, the agency is authorised or required to refuse to give that information to the person.

IPP 6—Access to documents containing personal information

(1)    An agency having control of a document containing personal information must give an individual the subject of the personal information access to the document if the individual asks for access.

(2) An agency is not required to give an individual access to a document under subsection (1) if—

(a) the agency is authorised or required under an access law to refuse to give the access to the individual; or

(b) the document is expressly excluded from the operation of an access law.

NPP 5—Openness

(1)    A health agency must set out in a document clearly expressed policies on its management of personal information and must make the document available to anyone who asks for it.

(2)    On request by a person, a health agency must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

NPP 6—Access to documents containing personal information

(1)  If a health agency has control of a document containing personal information, it must give the individual the subject of the personal information access to the document if the individual asks for access.

(2)  A health agency is not required to give an individual access to a document under subsection (1) if—

(a) the health agency is authorised or required under an access law to refuse to give the access to the individual; or

(b) the document is expressly excluded from the operation of an access law.

Openness

Under IPP 5 and NPP 5, agencies must make general information available about:

• the sort of personal information they hold
• the purposes for holding the information; and
• for health agencies, how they collect, hold, use and disclose the information.

Health agencies must make this information available on request; non-health agencies must ensure that people can find it out.

Agencies are not required to specifically document all the personal information they hold. Generic information about the types or classes of personal information held is sufficient.

Non-health agencies have an additional obligation to include information about how people can access their information, and health agencies an obligation to produce, and make available to anyone who asks for it, its policies on managing personal information, but these obligations are best practice for all agencies.

Privacy plans or policies

For all agencies, the simplest way to meet these obligations is through a privacy plan or privacy policy available on the agency website. The policy should:

• include the information required by IPP 5 or NPP 5
• set out how the agency manages personal information
• advise how individuals can access their personal information; and
• include details about to make a privacy complaint.

Agencies could also:

• ensure clients are provided with privacy brochures describing the agency's personal information handling practices
• if needed, make people available to answer questions about information management practices
• include privacy information, or links to the privacy information page, on relevant topic-specific agency webpages; or
• include information on its website about whether it contracts out services that involve disclosing personal information.

When an agency is aware of any particular requirements affecting an individual requesting information about its privacy policy, it could consider presenting the information in a way that takes into account those requirements.

Some factors that may affect the way it presents information could include:

• any disability the individual may have
• the individual's level of understanding
• the individual's language or literacy skills
• how much information the individual wants, for example, the request may only be about the type of personal information an agency holds; or
• providing information in a way that avoids jargon or in-house terms which would likely not be known by the individual.

Publication schemes

The Right to Information Act 2009 (Qld) requires agencies to publish a publication scheme which sets out the classes of information that the agency has available and the terms on which it will make that information available.

The information classes will likely include some of the agency's personal information. However, they will not provide a complete picture, and will not be sufficient to meet the requirements of IPP 5 or NPP 5.

Access to personal information

IPP 6 and NPP 6 provide that, where an agency has control of a document containing personal information, it must give the subject of the information access to the document if they ask. Chapter 3 of the IP Act gives an individual the right to apply for access to documents containing their personal information.

If an agency has a robust system of compliance with chapter 3, they will generally have complied with IPP 6 or NPP 6. However, this does not mean that access to all personal information should be managed through the formal mechanisms in Chapter 3.

Agencies should have a general policy of openness. If it is non-contentious, and access would not be refused if a formal application was made, people should be able to access their personal information without a formal application.

Bound contracted service providers

Bound contracted service providers (bound under section 35 of the IP Act) are not covered by Chapter 3 of the IP Act but are subject to IPP 6 or NPP 6.

Agencies should ensure that there are processes in place for individuals to access their personal information from bound contracted service providers.

For example, this could be done by:

• ensuring they understand their access obligations under IPP 6 or NPP 6 and providing guidance; or
• by establishing in the contract that relevant documents remain under the control of the agency, which means individuals can apply to the agency for access to their information.