Five things you might not know about the NPPs

The Information Privacy Act 2009 (Qld) (IP Act) contains four sets of privacy principles: the Information Privacy Principles (IPPs), the National Privacy Principles (NPPs), the transfer out of Australia rules1 and the bound contracted service provider rules2. This guideline explains some of unique features of the NPPs.

The IPPs and the NPPs create two distinct sets of privacy obligations under the IP Act.  The NPPs apply to health agencies3 and cover both administrative and clinical information; the IPPs apply to all other agencies.

While the NPPs and the IPPs cover the same administrative actions of collection, storage, use and disclosure, they set out different obligations. The specific set of privacy principles for health agencies reflect, in part, the unique nature of personal information in the health environment.4

You work harder (at collection) in health

The IP Act requires that an individual is provided with certain information before, or at the same time as, personal information is collected from them.5 Often referred to as a ‘collection notice’, this information informs an individual about the purposes for which their information is collected, details of any law that allows or requires the collection, and the entities to whom their personal information is usually disclosed.

As well as the above information, NPP 1 requires that the collection notice6 make an individual aware of:

  • the identity of the health agency and how to contact it
  • the fact that the individual is able to gain access to the information they have provided;7 and
  • the main consequences, if any, for the individual if all or part of the information is not provided.

NPP 1(5) also requires that reasonable steps must be taken to provide an individual with a collection notice where personal information about that individual has been collected from someone else.  This is an importance difference from IPP 2, which does not apply where an agency collects personal information about an individual from a third party.

Finally, there are special conditions that apply when ‘sensitive information’ is collected.

Ouch – that’s sensitive

Sensitive information is a subset of personal information which arises only under the NPPs: specifically, NPP 9.  Sensitive information is information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, trade union membership, sexual preferences or practices, criminal record and, most relevantly, all health information8 about the individual.

NPP 9 sets out the circumstances in which a health agency may collect sensitive information.  It does not impose any additional obligations on how sensitive information – once collected – is stored, used or disclosed.  The intent of this privacy principle is to afford sensitive information a higher level of privacy protection by placing limitations on the circumstances under which it may be collected.

Primary disclosure? Fine. Secondary disclosure? You’ll need an exception for that

Under IPP 11, there are limited circumstances in which an individual’s personal information may be provided to a third party.  Under NPP 2, this is relatively more relaxed.

A health agency can disclose an individual’s personal information to a third party without relying on a permitted exception if the disclosure is for the purpose for which the information was obtained in the first place, ie the primary purpose. For example, if a health agency obtained the information for the purpose of providing the individual with a health service, it can provide that information to someone else if their purpose for receiving the information is also to provide that health service.9

It is only when the disclosure is for a different purpose altogether – a secondary purpose – that one of the permitted exceptions in NPP 2 needs to be satisfied.

We were just talking…

The IP Act defines personal information as being information whether in a material form or not.10 However, all the IPPs refer to documents containing personal information.  There cannot be a breach of an IPP unless it involves personal information that is contained in a document. As such, the IPPs do not apply to verbal information that is never recorded in a document.

The NPPs do not have this restriction. The NPPs apply to all personal information, regardless of whether or not it is contained in a document.11

Identity is an option

NPP 8 requires that, wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with a health agency.  There is no equivalent obligation in the IPPs.

It will not always be possible to offer the option of anonymity. Providing a health service to a person without obtaining their name may be unlawful where an Act obliges the health agency to collect identifying information.12 In some circumstances it may impractical to provide a service anonymously, such as where the recipient of the health service requires follow up care or care from a multi-disciplinary team.

However, if the option for individuals to interact anonymously is capable of being offered, it can benefit both the individual and the health agency.  It allows the individual to exercise control over their personal information and the health agency’s obligations under the IP Act are considerably lessened when it deals anonymously with an individual, as personal information requires the individual to be identifiable.13 Information which is not about an identifiable individual, or an individual who is not reasonably identifiable, is not ‘personal information’ and does not attract the protections of the IP Act.

A parallel protection - unique to NPP 4 - is the obligation on a health agency to de-identify its personal information holdings if the information is no longer needed for any purpose for which it was collected or may be used.14

  • 1 Section 33 of the IP Act.
  • 2 Chapter 2, part 4 of the IP Act.
  • 3 Queensland Health or a Hospital and Health Service.
  • 4 Historically, the NPPs were applied to health agencies to provide greater consistency across the
  • Australian health sector.  The NPPs in the Privacy Act 1988 (Cth) were replaced by the Australian Privacy Principles (APPs) on 12 March 2014.
  • 5 Or if that is not practicable, as soon as practicable after the collection occurs.
  • 6 If the information is required under a statutory collection, a health agency is not obliged to provide a collection notice under the exemption in NPP 1(6). There is no equivalent exemption for the IPPs. However, an agency that is not a health agency may not be obliged under the exemption in IPP 2(5) to provide a collection notice in the ‘delivery of an emergency service’.  The NPPs do not contain an equivalent exemption.
  • 7 In the IPPs, this requirement is set out in IPP 5: providing information about documents containing personal information.
  • 8 See schedule 5 of the IP Act for a comprehensive definition of health information.
  • 9 Examples include where a Hospital and Health Service shares patient information with the not-for-profit organisation the Royal Flying Doctor Service, or provides a General Practitioner with an individual’s Discharge Summary following a hospital stay.
  • 10 See section 12 of the IP Act.
  • 11 The Acts Interpretation Act 1954 (Qld) defines documents quite broadly to include paper or other material with writing or meaningful marks, symbols or figures on it, and any disc, tape or other article from which images, writing or messages can be produced.
  • 12 For example, section 79(4) of the Health (Drugs and Poisons) Regulation 1996 (Qld) requires that the prescription for a controlled drug must include the name, address and date of birth of the person for whose use it is prescribed.
  • 13 See section 12 of the IP Act.
    14 Noting that the management of documents held by a health agency will fall first under the Public Records Act 2002 (Qld), which may prohibit their amendment or destruction.

Current as at: February 2, 2016