Five things you might not know about the NPPs

The Information Privacy Act 2009 (Qld) (IP Act) contains four sets of privacy principles: the Information Privacy Principles (IPPs), the National Privacy Principles (NPPs), the transfer out of Australia rules¹ and the bound contracted service provider rules². This guideline explains some of unique features of the NPPs.

The IPPs and the NPPs create two distinct sets of privacy obligations under the IP Act.  The NPPs apply to health agencies³ and cover both administrative and clinical information; the IPPs apply to all other agencies.

While the NPPs and the IPPs cover the same administrative actions of collection, storage, use and disclosure, they set out different obligations. The specific set of privacy principles for health agencies reflect, in part, the unique nature of personal information in the health environment.⁴

You work harder (at collection) in health

The IP Act requires that an individual is provided with certain information before, or at the same time as, personal information is collected from them.⁵ Often referred to as a ‘collection notice’, this information informs an individual about the purposes for which their information is collected, details of any law that allows or requires the collection, and the entities to whom their personal information is usually disclosed.

As well as the above information, NPP 1 requires that the collection notice⁶ make an individual aware of:

• the identity of the health agency and how to contact it
• the fact that the individual is able to gain access to the information they have provided;⁷ and
• the main consequences, if any, for the individual if all or part of the information is not provided.

NPP 1(5) also requires that reasonable steps must be taken to provide an individual with a collection notice where personal information about that individual has been collected from someone else.  This is an importance difference from IPP 2, which does not apply where an agency collects personal information about an individual from a third party.

Finally, there are special conditions that apply when ‘sensitive information’ is collected.

Ouch – that’s sensitive

Sensitive information is a subset of personal information which arises only under the NPPs: specifically, NPP 9.  Sensitive information is information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, trade union membership, sexual preferences or practices, criminal record and, most relevantly, all health information⁸ about the individual.

NPP 9 sets out the circumstances in which a health agency may collect sensitive information.  It does not impose any additional obligations on how sensitive information – once collected – is stored, used or disclosed.  The intent of this privacy principle is to afford sensitive information a higher level of privacy protection by placing limitations on the circumstances under which it may be collected.

Primary disclosure? Fine. Secondary disclosure? You’ll need an exception for that

Under IPP 11, there are limited circumstances in which an individual’s personal information may be provided to a third party.  Under NPP 2, this is relatively more relaxed.

A health agency can disclose an individual’s personal information to a third party without relying on a permitted exception if the disclosure is for the purpose for which the information was obtained in the first place, ie the primary purpose. For example, if a health agency obtained the information for the purpose of providing the individual with a health service, it can provide that information to someone else if their purpose for receiving the information is also to provide that health service.⁹

It is only when the disclosure is for a different purpose altogether – a secondary purpose – that one of the permitted exceptions in NPP 2 needs to be satisfied.

We were just talking…

The IP Act defines personal information as being information whether in a material form or not.¹⁰ However, all the IPPs refer to documents containing personal information.  There cannot be a breach of an IPP unless it involves personal information that is contained in a document. As such, the IPPs do not apply to verbal information that is never recorded in a document.

The NPPs do not have this restriction. The NPPs apply to all personal information, regardless of whether or not it is contained in a document.¹¹

Identity is an option

NPP 8 requires that, wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with a health agency.  There is no equivalent obligation in the IPPs.

It will not always be possible to offer the option of anonymity. Providing a health service to a person without obtaining their name may be unlawful where an Act obliges the health agency to collect identifying information.¹² In some circumstances it may impractical to provide a service anonymously, such as where the recipient of the health service requires follow up care or care from a multi-disciplinary team.

However, if the option for individuals to interact anonymously is capable of being offered, it can benefit both the individual and the health agency.  It allows the individual to exercise control over their personal information and the health agency’s obligations under the IP Act are considerably lessened when it deals anonymously with an individual, as personal information requires the individual to be identifiable.¹³ Information which is not about an identifiable individual, or an individual who is not reasonably identifiable, is not ‘personal information’ and does not attract the protections of the IP Act.

A parallel protection - unique to NPP 4 - is the obligation on a health agency to de-identify its personal information holdings if the information is no longer needed for any purpose for which it was collected or may be used.¹⁴