Privacy Myths - Busted!

People often think privacy means no one is allowed to know anything about them—or that no one is allowed to use their information or give it to someone else. The reality is that privacy is more complex, and it's not absolute.

In Queensland, the Information Privacy Act 2009 (IP Act) helps ensure your privacy rights are protected. Its privacy principles create rules that permit Queensland government agencies to appropriately use personal information, including for service delivery, law enforcement, and public safety, and require agencies to protect it from misuse and abuse. This guideline helps clear up some of the more common privacy myths.

Myth: If there’s no name, it's not personal information

Not necessarily. Information without a name can still be personal information.  Under the IP Act, personal information is information about an individual whose identity is apparent—or can be reasonably ascertained. Even if the individual isn't named, if you can reasonably work out who they are the information can be personal information.

Whether the identity of an individual can be worked out will depend on the type and detail of the initial information, and how easily this can be linked to other known information. This means that de-identifying information requires more than just removing an individual’s name.

Myth: Privacy means you have to get the individual’s consent before dealing with their personal information

Not correct. Agencies don't need consent to collect personal information and it's only one of the options that allow an agency to use or disclose it. The privacy principles also let agencies use or disclose personal information to assist in a law enforcement activity, to lessen or prevent a threat, or where another law permits—without the individual's consent.

Myth: Privacy makes it harder to deal with an emergency or natural disaster

Not correct. The IP Act actually makes it easier to collect, use, or share personal information in an emergency or natural disaster. The privacy principles recognise that effective information flows are critical in an emergency: they don't require agencies to give a collection notice when delivering an emergency service, agencies can use or disclose information as needed to prevent or lessen a serious threat to an individual or the public.

Myth: Privacy makes it hard for government to use social media

Not correct. The privacy principles don't limit agencies' ability to use social media. In fact, social media is an important part of how most agencies communicate with the public. Agencies just need to make sure privacy is part of their social media strategy by having clear and accessible policies about personal information collection, use, disclosure and security. Agencies may also need rules about obtaining consent and about when personal information is sent overseas, but privacy is not a barrier to effective social media.

Myth: Privacy stops government from using cloud services

Not correct. Cloud service arrangements with robust security and accountability safeguards can be compatible with the privacy principles—and may even enhance the protection of personal information. This is true even where the cloud service provider is overseas. The rules about overseas transfer in the IP Act are intended to protect personal information which leaves the country. A cloud service contract which ensures the integrity and security of that personal information, including its collection, storage, use and disclosure, will go a long way towards satisfying those rules.

Myth: Privacy stops government information flow – you can’t tell anyone anything

Not correct. The privacy principles provide for the fair handling of personal information and they're flexible enough to allow the appropriate flow of personal information within and between agencies. There are no restrictions on an agency using personal information for the reason it was collected or giving it to third parties the individual was told about when they gave it to the agency. The privacy principles also have specific rules that agencies can rely on when there is a genuine need, recognised by the IP Act, to use or disclose personal information.

Myth: Privacy and the Right to Information Act 2009 contradict each other

Not correct. The IP Act and Right to Information Act 2009 (RTI Act) work together to ensure an appropriate balance between privacy protection and government openness.

The privacy principles create the rules that protect personal information. The RTI Act creates an access scheme for the lawful disclosure of government-held information that balances privacy protection—recognised as a strong factor against disclosure and requiring people to be consulted—with the necessary release of information for accountable and responsible government. In most, but not all, cases releasing an individual’s personal information to someone else will be contrary to the public interest.

Myth: Privacy doesn’t apply to law enforcement

Not correct. The privacy principles in the IP Act apply to law enforcement agencies. However, the IP Act provides some exceptions and exemptions that ensure privacy does not inhibit law enforcement activities—for example, a law enforcement agency conducting covert surveillance is not required to give a collection notice to the individuals being surveilled. Non-law enforcement activities, such as human resources administration, are subject to the full obligations of the privacy principles.

Myth: The privacy principles apply to material which is publicly available

Not quite correct. If personal information is part of a generally available publication, it's not covered by the privacy principles. This includes things like the electoral roll, published court decisions, or anything kept in a library. The rules are also relaxed if the agency is giving personal information to someone who already knows it or is in a position to find it out, or in relation to information the individual published themselves.

Myth: The IP Act allows agencies or employees to be fired or fined if they breach the privacy principles

Not quite correct. The IP Act provides for an individual to make a privacy complaint if an agency breaches their privacy. It does not provide for the agency to be fined or an agency employee to be fired. However, if the breach of privacy also involves misconduct by the employee, disciplinary action can be taken by the agency which could result in an employee’s dismissal or some other action.

Privacy complaints are remedial in nature; that is, their outcome is intended to remedy the breach that has occurred. If a privacy complaint proceeds from the agency, to the OIC, to the Queensland Civil and Administrative Tribunal (QCAT), QCAT can make a number of remedial orders, including compensation. They cannot fine or otherwise penalise the agency or employee.