The Information Privacy Act 2009 (Qld) (IP Act) contains a number of privacy principles which set out the rules for how agencies1 are to collect, manage, use and disclose personal information. These include the Information Privacy Principles (IPPs),2 the National Privacy Principles (NPPs)3 which apply only to health agencies, the transfer out of Australia rules and the obligations when contracting with a service provider.
Personal information is defined very broadly in the IP Act, and it includes information or opinion in any form, whether true or not, about a person who is or can be identified.4
The IP Act contains a number of provisions dealing specifically with the law enforcement activities of law enforcement agencies. These provisions recognise that an agency's use of personal information for investigation and enforcement purposes may not be compatible with the privacy principles in all circumstances. For example, it would defeat the purpose of covert surveillance if an agency were to inform an individual that their personal information is being collected.
Law enforcement activities are dealt with in three different ways in the IP Act:
Schedule 5 of the IP Act contains two different definitions of law enforcement agency.
For IPP 11(1)(e), a law enforcement agency has the same meaning as enforcement body in the Privacy Act 1988 (Cth).5 Enforcement body includes the Australian Federal Police, Customs, and any government body of the Commonwealth or of a State or Territory (including a Queensland body) with responsibility for revenue protection or for administering, or performing a function under, a law imposing penalties or sanctions.
For the rest of the IP Act, a law enforcement agency is defined as the Queensland Police Service under the Police Services Administration Act 1990 (Qld), the Crime and Corruption Commission under the Crime and Corruption Act 2001 (Qld), the Community Safety department, or any other agency, or body within an agency to the extent that agency has responsibility for:
If an agency is one of the entities listed by name, the agency is permitted to rely on the law enforcement provisions for actions taken under the listed Act. Most other agencies will fall within the definition of a law enforcement agency for one or more of their functions, as most agencies administer legislation which contains offences, penalties or sanctions made under an Act.
A department is responsible for administering an Act which makes it an offence to drink alcohol in a public place when no relevant permit has been issued. The department's actions in relation to the prevention, detection, investigation, prosecution or punishment of people who drink alcohol in a public place such as a local park are law enforcement actions. Purely administrative matters, such as issuing licences to people allowing public consumption of alcohol, are not considered to be a law enforcement function, even if carried out by the same area of the department.
IPP 10 deals with use of personal information, IPP 11 deals with disclosure of personal information, and NPP 2 deals with use and disclosure of personal information by health agencies. IPP 10(1)(d), IPP 11(1)(e) and NPP 2(1)(g) provide that personal information may be used or disclosed by a law enforcement agency, or disclosed to a law enforcement agency, if the use or disclosure is necessary in relation to one or more of the following activities:
If personal information is used or disclosed in reliance on the above, the agency must place a note of the use or disclosure on the file.
The Department of Water Quality is investigating a possible breach by a local farmer of the obligation to keep water clean. A breach of the Clean Water Act 2007 attracts penalties of up to 500 penalty units. The Department could disclose personal information about the farmer, for example that he was being investigated, to the local council, neighbours, or farmhands if the disclosure was a necessary part of the Department's investigation. The Department would then make a note of the disclosure on the farmer's file.
IPP 11(1)(ea) permits a non-health agency to disclose personal information to the Australian Security Intelligence Organisation (ASIO) in specific circumstances. ASIO must request its disclosure, an ASIO officer or employee appropriately authorised by the director-general of ASIO must certify that the information is required in connection with ASIO's functions, and the agency must only disclose the information to an ASIO officer or employee authorised in writing to receive it.
Additionally, health agencies may rely on NPP 2(1)(e) which permits the use or disclosure of personal information if:
Section 29 of the IP Act permits a law enforcement agency to not comply with certain privacy principles in specific circumstances. This section only relates to the IPPs, and not to the NPPs or other privacy principles; it does not apply to health agencies.
Under section 29, the privacy principles with which a law enforcement agency does not have to comply are:
There are a number of criteria, set out in the subsections to section 29, which must be met before a law enforcement agency can rely on section 29. The law enforcement agency must satisfy itself on reasonable grounds that non-compliance with one or more of the listed privacy principles is necessary in order to achieve or carry out the enforcement function in question. It is a decision that must be made every time the agency wishes to be non-compliant; it cannot, for example, decide as a matter of agency policy that all investigations into water pollution require non-compliance with one of the listed privacy principles.
Schedule 1 of the IP Act sets out documents to which the privacy principles do not apply. These include documents which relate to covert activity and witness protection. An agency does not have to comply with the privacy principles in relation to a document to the extent it contains personal information where:
If a law enforcement agency (Agency One) requests information from any other Queensland government agency (Agency Two), Agency Two may rely on the provisions of IPP 11(1)(e) or NPP 2(1)(g) to disclose information to Agency One. However, Agency Two may only disclose the personal information if it is satisfied on reasonable grounds that the personal information is necessary for Agency One to carry out one or more of the activities listed in IPP 11(1)(e) or NPP 2(1)(g).
An agency which is asked to disclose personal information under IPP 11(1)(e) or NPP 2(1)(g) must have sufficient evidence to satisfy itself that the disclosure is justified. In the event of a privacy complaint, the onus will be on the agency disclosing the personal information to demonstrate that it acted in compliance with the privacy principles. The agency may elect not to disclose personal information to a law enforcement agency under these principles unless such requests are made in writing by a sufficiently senior officer, and set out the reasons why the personal information is required.
An enforcement officer from the Department of Safe Streets (the Department) attends the counter of Queensland Bikes and asks to see the records of Barry Bicyclist, because he "needs it to do his job". Queensland Bikes does not have enough information to be sure that IPP 11(1)(e) is satisfied. Queensland Bikes might request a senior officer of the Department to make the request in writing, giving enough detail to allow Queensland Bikes to be sure the disclosure would comply with the privacy principles. If satisfied the disclosure was permitted, Queensland Bikes could provide Barry's record to the Department. Queensland Bikes would then have to make a note of the disclosure on Barry's file.
If there is a regular, legitimate exchange of personal information between two agencies for law enforcement purposes, entering into a Memorandum of Understanding which sets out the requirements and procedures for each agency would minimise the risk of a privacy principle breach.
Current as at: June 5, 2017