QPP 3 - collection of solicited personal information

Overview

All Queensland government agencies¹ must handle personal information in accordance with the Queensland Privacy Principles (QPP) in the Information Privacy Act 2009 (Qld) (IP Act).

This guideline is based on and includes material from the Australian Privacy Principle guidelines developed by the Office of the Australian Information Commissioner.

What is personal information?

Section 12 of the IP Act provides that personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information is true or recorded in a material format.

The individual does not need to be directly identified in the information for it to be personal information. It is sufficient if they can reasonably be identified by reference to other information.

Refer to Key privacy concepts – personal and sensitive information for more information.

QPP 3 – solicited personal information

Under QPP 3, an agency must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of its functions or activities.

Agencies must collect personal information by lawful and fair means, and it must be collected only from the individual unless:

• the individual consents to it being collected from someone else
• the collection is required or authorised by law or a court or tribunal order; or
• it is unreasonable or impracticable to collect it directly from the individual.

Sensitive information

Sensitive information defined in schedule 5 of the IP Act. Refer to Key privacy concepts – personal and sensitive information.

As explained below, sensitive information can only be collected with the individual's consent unless one of the exceptions applies.

Solicited information only

The obligations in QPP 3 only apply to solicited personal information.² An agency solicits³ personal information if it asks someone to provide, personal information or information of a kind in which personal information is included.

Unsolicited information is information that someone gives or sends to an agency at their own instigation, for example a petition from a community member that includes their personal information and the personal information of the signers. QPP 3 does not apply to unsolicited personal information.

For information on handling unsolicited personal information refer to the QPP 4 - Dealing with unsolicited personal information guideline.

Reasonably necessary for, or directly related to, functions or activities

Agencies must only collect personal information, including sensitive information, that they need. Specifically, the personal information must be:

• reasonably necessary for one or more of their functions of activities; or
• directly related to one or more of their functions or activities

Determining whether a particular collection of personal information complies with QPP 3.1 involves a two-step process⁴:

• identifying an agency’s functions or activities, and
• determining whether collecting the personal information is reasonably necessary for, or directly related to, one of those functions or activities.

Unnecessarily recording identity

When collecting information, agencies should only collect identifying information where the identity of the individual is necessary to fulfil the purpose.

Refer to QPP 2 – Dealing anonymously or pseudonymously with an agency for more information.

Functions or activities

An agency's functions may be broadly defined under an Act and refined by Regulation, a policy, Ministerial direction, or government strategies or arrangements.

Identifying an agency’s functions requires a consideration of the instruments that confer, describe, or apply to the agency’s responsibilities and obligations. These can include:

• Acts and subordinate legislative instruments
• the Administrative Arrangements Orders
• government decisions or Ministerial statements that announce a new government function
• the agency’s Publication Scheme; and
• the agency’s Annual Report.

The activities of an agency will be related to its functions and include incidental and support activities, such as human resource, corporate administration, property management and public relations activities.

When considering whether something falls within a function or activity of the agency, one starting point is to ask: 'can the agency legitimately do this' or 'is this within the agency's mandate'. This includes not just the agency's outward facing mandates, i.e., the functions it carries out for the community, but its inward facing ones, i.e., the functions it carries out with regards to its staff.

Directly related to

QPP 3 allows an agency to collect personal information directly related to one or more of its functions or activities. This requires there to be a direct connection between the personal information being collected and an agency function or activity.

Reasonably necessary for

QPP 3 also allow an agency to collect personal information that is reasonably necessary for one of its functions or activities.

Whether it is reasonably necessary to collect personal information is an objective test: would a reasonable person who is properly informed agree that the collection is reasonably necessary? The onus is on the agency to demonstrate that a particular collection was reasonably necessary.

Collection will only be reasonably necessary where the collection of the personal information helps to achieve the function or activity and it could not reasonably happen without the information.

Asking for irrelevant information will breach the privacy principles because it is not necessary for the functions or activities. Forms, questionnaires, interview questions and other tools for gathering personal information must be assessed against the purpose an agency is trying to fulfil, to ensure that they collect only necessary personal information and do not go further than is needed.

Factors which could make collection of personal information unnecessary include:

• collecting information about a group of people when information is only needed about some of the people in the group
• collecting a wide range of personal information when only specific facts are needed
• recording unnecessary information where it is provided verbally—only relevant information should be written down
• taking copies of identification (for example, a passport) where it is only necessary to see it; or
• collecting unnecessary background or financial information.

In almost all circumstances, collecting personal information just in case it may be necessary for the function or activity, or because it might in the future become necessary for a function or activity, will not comply with QPP 3. This is to be distinguished from the situation where personal information is required for a function or activity but will not be used immediately.

Some circumstances where the collection of personal information was determined⁵ not to be reasonably necessary for the function or activity were:

• a job applicant being asked to advise if they had suffered a work-related injury or illness, when this was not relevant to the position being advertised⁶
• a person applying to open a bank account being asked to complete a standard form application that included a question about marital status, when this had no bearing on the applicant's eligibility to open an account;⁷ and
• a medical practitioner photographing a patient for the patient's medical file, when this was not necessary to provide a health service.⁸

Other situations where the collection of personal information may not be reasonably necessary for an agency’s functions or activities include:

• collecting personal information about a group of individuals, when information is only required for some of those individuals
• collecting more personal information than is required for a function or activity, e.g., collecting all the information from an individual’s driver licence when the purpose is to establish if the individual is aged 18 years or over; and
• collecting personal information that is not required for a function or activity but is being entered in a database in case it might be needed in the future.

Collection by lawful and fair means

Under QPP 3.5, agencies must collect personal information, including sensitive information, only by lawful and fair means.

Collecting by lawful means

For collection to be lawful, it must be done in accordance with the law and not be done in a way that breaches a law. This includes criminal, civil and common law but will not generally include a breach of contract. Unlawful collection includes:

• any collection of personal information directly or indirectly prohibited by another law, e.g., restrictions on collecting specific information or collecting information in specific circumstances; and
• where an agency has the power to collect the information, but it exercises the power improperly or exceeds the power
• collecting information for an unlawful purpose

Examples include:

• collecting information in breach of legislation or in a way that breaches legislation
• requesting or requiring information in connection with, or for the purpose of, an act of discrimination
• collecting by a means that would constitute a civil wrong, for example, by trespassing on private property or threatening damage to a person unless information is provided
• collecting information contrary to a court or tribunal order, for example, contrary to an injunction issued against the agency.

Collecting by fair means

Personal information is collected fairly where the collection does not involve intimidation or deception and is not unreasonably intrusive. The agency must be open and not mislead the individual or coerce or intimidate them into providing information against their will.

When collecting personal information, agencies must not:

• mislead people about the confidentiality of information
• misrepresent what it will do with the information
• mislead people about who is collecting personal information, or why the information is being collected
• make false or misleading claims about the consequences of not giving information
• collect voluntary information as if it was compulsory, for example, by telling people that they are legally required to answer all questions on a form when some questions may be optional; or
• obtain information by trickery, misrepresentation, deception or under duress.

Whether a collection uses unfair means will often depend on the circumstances. For example, it would usually be unfair to collect personal information covertly without the knowledge of the individual. However, this may be a fair means of collection if undertaken in connection with an investigation.

Some examples where collection may be unfair (some may also be unlawful) include:

• collecting from a file discarded by accident on a street, or from an electronic device which is lost or left unattended
• collecting from an individual who is traumatised, in a state of shock or intoxicated
• collecting in a way that disrespects cultural differences
• misrepresenting the purpose or effect of collection, or the consequences for the individual of not providing the requested information
• collecting by telephoning an individual in the middle of the night
• collecting by deception, for example, wrongly claiming to be a police officer, doctor, or trusted organisation.

Collection of Sensitive information

Sensitive information is a category of personal information defined in schedule 5 of the IP Act. Under QPP 3.3, agencies can only collect sensitive information where the collection is reasonably necessary for, or directly related to, functions or activities of the agency and the individual consents, or one of the below criteria apply⁹:

• the collection is required or authorised by law or court order
• the agency is a law enforcement agency and collection is for one or more of their functions or activities
• the agency is a health agency, and a permitted health situation exists in relation to the collection of the information; or
• a permitted general situation exists in relation to the collection of the information by the agency.

Law or court/tribunal order

Sensitive information can be collected without consent where the collection is authorised or required by or under an Australian law or by or under a court or tribunal order.

Refer to the discussion below and QPP 3&6 – authorised by law or a court order for more information.

Law enforcement agency

Law enforcement agency is defined in schedule 5 of the IP Act and includes any agency that conducts enforcement activities. A law enforcement agency can collect sensitive information without consent where it reasonably believes collecting it is reasonably necessary for, or directly related to, one or more of its functions or activities.

Refer to Key privacy concepts – enforcement agencies and enforcement activities and QPP 3&6 – law enforcement agencies and activities for more information.

Permitted health situations

The permitted health situations are set out in schedule 4, part 2 of the IP Act. These only apply to health agencies and health information.

Refer to QPP 3&6 - collection, use and disclosure of health information by a health agency.

What are the permitted general situations?

The permitted general situations are set out in schedule 4, part 1. The permitted general situations allowing sensitive personal information to be collected without consent are the same permitted general situations which allow agencies to use or disclose personal information for a secondary purpose under QPP 6.2(c). They are:

• the agency reasonably believes the collection is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety and it is unreasonable or impracticable to obtain the individual's consent
• the agency has reason to suspect unlawful activity or misconduct of a serious nature which relates to the entity's functions or activities has been, is being, or may be engaged in, and it reasonably believes the collection is necessary for the entity to take appropriate action in relation to the matter
• the agency reasonably believes the collection is reasonably necessary to assist in the location of a who has been reported as missing
• the collection is reasonably necessary for the establishment, exercise, or defence of a legal or equitable claim; or
• the collection is reasonably necessary for the purposes of a confidential alternative dispute resolution process.

Collection of personal information that is not sensitive information

Under QPP 3.6, agencies must collect personal information about an individual only from the individual, unless one of the following exceptions apply:

• the individual consents to the personal information being collected from someone other than the individual
• the agency is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual, or
• it is unreasonable or impracticable for the entity to collect personal information only from the individual.

The agency does not need to specifically request personal information for this requirement to apply. It is sufficient if they ask for a kind of information that happens to include personal information.

Unreasonable or impracticable to collect directly from the individual

Whether it is unreasonable or impracticable to collect personal information directly from the individual concerned will depend on the circumstances. Relevant considerations include:

• whether it is possible to collect the information directly from the individual, e.g., if they are using a translation service, the agency will have to collect the information from the translator
• whether the individual would reasonably expect personal information about them to be collected directly from them or from another source
• the sensitivity of the personal information being collected
• whether direct collection would jeopardise the purpose of collection or the integrity of the personal information collected
• any privacy risk if the information is collected from another source; and
• the time and cost involved of collecting directly from the individual, but agency is not excused from collecting from the individual rather than another source only because it would be inconvenient, time-consuming, or impose some cost to do so. Whether these factors make it unreasonable or impracticable will depend on whether the burden is excessive in all the circumstances.

Examples of when it may be unreasonable or impracticable to collect personal information directly from the individual concerned include:

• collection by a law enforcement agency of personal information about an individual who is under investigation, where the collection may jeopardise the investigation if the personal information is collected only from that individual; and
• if a legal or official document that is mailed to an individual is returned to the sender, the individual’s current contact details may need to be obtained from another source.

Consent by the individual

Consent can be express or implied, and must be voluntary, informed, current and specific, and the individual must have the capacity to consent. This is discussed in more detail in Key Privacy concepts – consent.

An example of where an agency might collect personal information from someone other than the individual is where the individual consented to another agency disclosing their personal information (such as contact details) to the agency.

Required or authorised by law or a court or tribunal order

Collection of personal information from someone other than the individual it is about will be required or authorised by law where a law requires or allows that collection. This includes where the collection is impliedly authorised or required by law, because an agency cannot exercise an authorised or required power or function without collecting personal information from someone other than the individual it is about.

This approach also applies to an order of a court or tribunal.

Required or authorised by or under law or order of a court or tribunal order is discussed in more detail in QPP 3&6 – authorised by law or court order.