The Information Privacy Act 2009 (Qld) (IP Act) contains a number of privacy principles which set out the rules for how agencies1 are to collect, manage, use and disclose personal information. These include the Information Privacy Principles (IPPs),2 the National Privacy Principles (NPPs)3 which apply only to health agencies, the transfer out of Australia rules and the obligations when contracting with a service provider.
Personal information is defined very broadly in the IP Act, and it includes information or opinion in any form, whether true or not, about a person who is or can be identified.4
The IP Act's law enforcement provisions
The IP Act contains a number of provisions dealing specifically with the law enforcement activities of law enforcement agencies. These provisions recognise that an agency's use of personal information for investigation and enforcement purposes may not be compatible with the privacy principles in all circumstances. For example, it would defeat the purpose of covert surveillance if an agency were to inform an individual that their personal information is being collected.
Law enforcement activities are dealt with in three different ways in the IP Act:
- as part of the privacy principles – the agency is bound by the principles but is able to rely on specific exemptions for law enforcement activities
- permitted non-compliance with some of the IPPs – the agency can effectively disregard the specified privacy principles in relation to an enforcement action
- exemptions from the privacy principles for certain documents – the privacy principles do not apply to personal information in the stated documents.
What is a law enforcement agency?
Schedule 5 of the IP Act contains two different definitions of law enforcement agency.
For IPP 11(1)(e), a law enforcement agency has the same meaning as enforcement body in the Privacy Act 1988 (Cth).5 Enforcement body includes the Australian Federal Police, Customs, and any government body of the Commonwealth or of a State or Territory (including a Queensland body) with responsibility for revenue protection or for administering, or performing a function under, a law imposing penalties or sanctions.
For the rest of the IP Act, a law enforcement agency is defined as the Queensland Police Service under the Police Services Administration Act 1990 (Qld), the Crime and Corruption Commission under the Crime and Corruption Act 2001 (Qld), the Community Safety department, or any other agency, or body within an agency to the extent that agency has responsibility for:
- functions or activities directed to the prevention, detection, investigation, prosecution or punishment of offences and other breaches of the law for which penalties or sanctions may be imposed
- the management of property seized or restrained under a law relating to the confiscation of the proceeds of crime
- the enforcement of a law, or an order made under a law, relating to the confiscation of the proceeds of crime; or
- the execution or implementation of an order or decision made by a court or tribunal.
If an agency is one of the entities listed by name, the agency is permitted to rely on the law enforcement provisions for actions taken under the listed Act. Most other agencies will fall within the definition of a law enforcement agency for one or more of their functions, as most agencies administer legislation which contains offences, penalties or sanctions made under an Act.
A department is responsible for administering an Act which makes it an offence to drink alcohol in a public place when no relevant permit has been issued. The department's actions in relation to the prevention, detection, investigation, prosecution or punishment of people who drink alcohol in a public place such as a local park are law enforcement actions. Purely administrative matters, such as issuing licences to people allowing public consumption of alcohol, are not considered to be a law enforcement function, even if carried out by the same area of the department.
Law enforcement provisions contained in the privacy principles
IPP 10 deals with use of personal information, IPP 11 deals with disclosure of personal information, and NPP 2 deals with use and disclosure of personal information by health agencies. IPP 10(1)(d), IPP 11(1)(e) and NPP 2(1)(g) provide that personal information may be used or disclosed by a law enforcement agency, or disclosed to a law enforcement agency, if the use or disclosure is necessary in relation to one or more of the following activities:
- prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of the law which impose penalties or sanctions
- the enforcement of laws relating to the confiscation of the proceeds of crime
- protection of the public revenue
- prevention, detection, investigation or remedying of seriously improper conduct
- preparation for, or conduct of, proceedings before any court or tribunal
- implementation of the orders of a court or tribunal.
If personal information is used or disclosed in reliance on the above, the agency must place a note of the use or disclosure on the file.
The Department of Water Quality is investigating a possible breach by a local farmer of the obligation to keep water clean. A breach of the Clean Water Act 2007 attracts penalties of up to 500 penalty units. The Department could disclose personal information about the farmer, for example that he was being investigated, to the local council, neighbours, or farmhands if the disclosure was a necessary part of the Department's investigation. The Department would then make a note of the disclosure on the farmer's file.
IPP 11(1)(ea) permits a non-health agency to disclose personal information to the Australian Security Intelligence Organisation (ASIO) in specific circumstances. ASIO must request its disclosure, an ASIO officer or employee appropriately authorised by the director-general of ASIO must certify that the information is required in connection with ASIO's functions, and the agency must only disclose the information to an ASIO officer or employee authorised in writing to receive it.
Additionally, health agencies may rely on NPP 2(1)(e) which permits the use or disclosure of personal information if:
- there is a reasonable suspicion that unlawful activity is being, or has or may have been, engaged in; and
- the use or disclosure is a necessary part of its investigation or reporting of the matter.
Permitted non-compliance for law enforcement functions
Section 29 of the IP Act permits a law enforcement agency to not comply with certain privacy principles in specific circumstances. This section only relates to the IPPs, and not to the NPPs or other privacy principles; it does not apply to health agencies.
Under section 29, the privacy principles with which a law enforcement agency does not have to comply are:
- IPP 2: provide a collection notice
- IPP 3: only collect relevant, complete and up to date personal information, and do not intrude unreasonably on an individual's personal affairs
- IPP 9: only use relevant personal information
- IPP 10: only use personal information for the purpose for which it was collected, unless an exception applies
- IPP 11: do not disclose personal information to anyone but the individual it is about, unless an exception applies.
There are a number of criteria, set out in the subsections to section 29, which must be met before a law enforcement agency can rely on section 29. The law enforcement agency must satisfy itself on reasonable grounds that non-compliance with one or more of the listed privacy principles is necessary in order to achieve or carry out the enforcement function in question. It is a decision that must be made every time the agency wishes to be non-compliant; it cannot, for example, decide as a matter of agency policy that all investigations into water pollution require non-compliance with one of the listed privacy principles.
Law enforcement documents which are exempt from the privacy principles
Schedule 1 of the IP Act sets out documents to which the privacy principles do not apply. These include documents which relate to covert activity and witness protection. An agency does not have to comply with the privacy principles in relation to a document to the extent it contains personal information where:
- the document6:
- arose out of, or in connection with, a controlled operation or activity under the Police Powers and Responsibilities Act 2000 (Qld) or the Crime and Corruption Act 2001 (Qld)
- arose out of, or in connection with, the covert undertaking of an operation, investigation or function of a law enforcement agency
- was obtained under a warrant issued under the Telecommunication (Interception and Access) Act 1979 (Cth).
- if the document7:
- contains personal information about a person who is included in a witness protection program under the Witness Protection Act 2000 (Qld)
- contains personal information about a person subject to other witness protection arrangements under the Witness Protection Act 2000 (Qld).
- if the document contains personal information arising out of a complaint, or an investigation of corrupt conduct, under the Crime and Corruption Act 2001 (Qld).8
What if a law enforcement agency asks for personal information?
If a law enforcement agency (Agency One) requests information from any other Queensland government agency (Agency Two), Agency Two may rely on the provisions of IPP 11(1)(e) or NPP 2(1)(g) to disclose information to Agency One. However, Agency Two may only disclose the personal information if it is satisfied on reasonable grounds that the personal information is necessary for Agency One to carry out one or more of the activities listed in IPP 11(1)(e) or NPP 2(1)(g).
An agency which is asked to disclose personal information under IPP 11(1)(e) or NPP 2(1)(g) must have sufficient evidence to satisfy itself that the disclosure is justified. In the event of a privacy complaint, the onus will be on the agency disclosing the personal information to demonstrate that it acted in compliance with the privacy principles. The agency may elect not to disclose personal information to a law enforcement agency under these principles unless such requests are made in writing by a sufficiently senior officer, and set out the reasons why the personal information is required.
An enforcement officer from the Department of Safe Streets (the Department) attends the counter of Queensland Bikes and asks to see the records of Barry Bicyclist, because he "needs it to do his job". Queensland Bikes does not have enough information to be sure that IPP 11(1)(e) is satisfied. Queensland Bikes might request a senior officer of the Department to make the request in writing, giving enough detail to allow Queensland Bikes to be sure the disclosure would comply with the privacy principles. If satisfied the disclosure was permitted, Queensland Bikes could provide Barry's record to the Department. Queensland Bikes would then have to make a note of the disclosure on Barry's file.
If there is a regular, legitimate exchange of personal information between two agencies for law enforcement purposes, entering into a Memorandum of Understanding which sets out the requirements and procedures for each agency would minimise the risk of a privacy principle breach.
- 1 In this Guideline references to an "agency" include Ministers and bound contracted service providers, unless otherwise specified. [up]
- 2 See schedule 3 of the IP Act. [up]
- 3 See schedule 4 of the IP Act. [up]
- 4 See section 12 of the IP Act. [up]
- 5 See the full definition of enforcement body. [up]
- 6 Schedule 1, provision 1. [up]
- 7 Schedule 1, provision 2. [up]
- 8 Schedule 1, provision 3. [up]
Current as at: June 5, 2017