Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).
In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.
Under IPPs 1 and 3 and NPP 1(1) and (2), non-health agencies and health agencies have specific obligations when they collect personal information3. These include only collecting personal information needed for the agency's functions and doing so only in lawful, fair, and non-intrusive ways. Health agencies and non-health agencies each have additional obligations.
Personal information collection is a fundamental part of information privacy regulation. Significant amounts of personal information are collected by agencies and that collection must comply with the privacy principles. The primary considerations when collecting personal information are:
If the answer to the second question is yes, then the information should not be collected.
(1) An agency must not collect personal information for inclusion in a document or generally available publication unless—
(a) the information is collected for a lawful purpose directly related to a function or activity of the agency; and
(b) the collection of the information is necessary to fulfil the purpose or is directly related to fulfilling the purpose.
(2) An agency must not collect personal information in a way that is unfair or unlawful.
(1) This section applies to the collection by an agency of personal information for inclusion in a document or generally available publication.
(2) However, this section applies to personal information only if the agency asks for the personal information from any person.
(3) The agency must take all reasonable steps to ensure that—
(a) the personal information collected is—
(i) relevant to the purpose for which it is collected; and
(ii) complete and up to date; and
(b) the extent to which personal information is collected from the individual the subject of it, and the way personal information is collected, are not an unreasonable intrusion into the personal affairs of the individual.
(1) A health agency must not collect personal information unless the information is necessary for 1 or more of its functions or activities.
(2) A health agency must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
(4) If it is reasonable and practicable to do so, a health agency must collect personal information about an individual only from that individual.
A health agency must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.
Agencies often acquire personal information that they do not solicit. This may be part of their function—for example, law enforcement agencies rely on reports from the public about potential breaches of the law—but all agencies will inevitably receive unsolicited personal information. For example, it may arrive when an:
An agency does not breach the collection privacy principles when it receives unsolicited irrelevant personal information, because the collection principles do not apply to unsolicited personal information.
Generally, an agency cannot automatically destroy or return unsolicited personal information. This is because the Public Records Act 2002 (Qld) requires agencies to retain documents in accordance with retention and disposal schedules. An agency will need to determine if information received is a public record before consideration is given to returning or destroying it.
An agency must have a clear purpose for collecting personal information. The purpose of collection should be specific, and it should relate to the current reason for collecting the information.
Refer to What to tell people when collecting personal information for more information about detailing the purpose for collection and what an agency must tell people when collecting information from them.
Agencies must comply with any legislation that deals with personal information collection, for example, an Act may require that information be provided, or it may regulate how it is dealt with. If an agency is collecting information under an Act, the Act will generally determine the purpose for collection.
The purpose the personal information is intended to fulfil must be directly related to one or more of the agency's functions or activities. An agency's functions and activities may be broadly defined under an Act and refined by regulation, departmental or Council policy, Ministerial direction or whole of government or policy.
The personal information being collected must be necessary for the function or activity the agency is undertaking. It will only be necessary where the collection of the personal information directly helps to achieve that purpose and the purpose could not reasonably happen without the information.
Asking for irrelevant information will breach the privacy principles because it is not necessary for the functions or activities. For example:
Forms, questionnaires, interview questions and other tools for gathering personal information must be assessed against the purpose an agency is trying to fulfil, to ensure that they collect only necessary personal information and do not go further than is needed.
When collecting information, agencies should only collect identifying information where the identity of the individual is necessary to fulfil the purpose.
Health agencies must collect information by lawful and fair means and non-health agencies must not collect information in unlawful or unfair ways.
For collection to be lawful, it must be done in accordance with the law and not be done in a way that breaches a law. This includes criminal, civil and common law. Unlawful collection includes:
Collection will also be unlawful where the action of collecting the information breaches a law, for example where the collector trespasses to obtain it.
Collection of information will be fair if the agency is open and not misleading, and if the individual is not coerced or intimidated into providing information against their will. When collecting personal information, agencies must not:
Health agencies must not collect personal information in a way that is unreasonably intrusive. This obligation applies regardless of who the information is collected from.
For non-health agencies, the obligation only applies when information is collected from the individual it is about and is phrased as 'not intruding unreasonably on the individual's personal affairs'. Personal affairs refers to the individual's private or domestic life, and is not related to their work or business.
When an agency collects personal information, it may do so passively, eg by making a website form available, or actively, eg by interviewing an individual. Some active ways will inevitably intrude on the individual; the agency's obligation is to ensure this intrusion is not unreasonable.
When considering whether the collection intrudes to an unreasonable extent, the agency must consider:
Generally, it will be necessary to consider why the information is being collected to determine if the intrusion is unreasonable.
The extent to which the collection is unreasonably intrusive will depend on the extent to which it is relevant and necessary for the purpose the agency is trying to achieve. If it is irrelevant or unnecessary, even the most minor of intrusions may be unreasonably intrusive.
Agencies must ensure that, when collected, personal information is is up to date and complete. Non-health agencies must also ensure it is relevant for the purpose it was collected.
A non-health agency must not ask for any irrelevant or extra information, or information it would be against the law to use. It must not collect information about a group of people when it only needs to know information about some of them.
The personal information an agency asks for must relate to its reasons for asking, and it must ensure that its collection methods are designed to only capture relevant information.
Example – trigger questions
If an agency uses one form for several purposes, care must be taken to capture only the information relevant for each purpose, for example, by using trigger questions, such as:
Question 1: Are you applying for this travel allowance because you have a disability?
If yes, go to Part 2; if no, go to question 2.
Question 2: Are you applying for this travel allowance because you are a sole parent?
If yes, go to Part 3; if no, go to question 3.
Question 3: Are you applying for this travel allowance because you are a full time student living away from home?
If yes, got to Part 4; if no, you are not eligible for this benefit.
Each of the various allowances is dealt with in a separate part of the form, and the person completing it is directed only to the relevant part by the trigger questions. In this way, the agency can use a multi-purpose form but only collect relevant information.
Some personal information can become outdated, while some will not change. For example, an individual’s email address may change regularly while their date of birth will never change. Collecting information directly from the individual will help ensure it is up to date. If it is collected from someone else, that person’s reliability should be assessed as part of deciding whether the information is up to date.
Personal information will be complete when it provides an entire picture or story, but the agency should only consider the circumstances relevant to the purpose of collection. For example, if an agency asks an individual if they have ever been charged with an offence, but does not ask if they were prosecuted and, if so, what the outcome was, then it may not have collected complete information, depending on the purpose of collection.
Agencies need to know all relevant facts in order to make good decisions, but they must also ensure they do not collect too much information. How much information is necessary to give the agency a complete picture will depend on the circumstances and the reason why the agency is collecting it.
If a benefit is available to married people the agency only needs to know if applicants are currently married, not if they have ever been divorced. While that information does give a complete picture of the applicant's married life, the agency does not need to know that for the purposes of assessing the person’s eligibility
Where it is reasonable and practicable, health agencies must collect personal information about an individual directly from the individual.
This will depend on the circumstances and involves balancing a number of possible factors including:
For example, it may be difficult to collect some information directly from an individual whose mental state is significantly impaired or compromised. In this instance, a relative or carer may be able to assist, however consideration should also need to be given to other factors:
Current as at: September 19, 2019