Basic guide to NPP 1 - Collection

Please note that whilst National Privacy Principle ( NPP ) 1 sets out general collection obligations for health agencies ¹ , NPP 9 deals specifically with the collection of 'sensitive information'. ²

Collection of personal information

NPP 1 details the way that information should be collected by health agencies. Collection of personal information includes any information which is gathered, acquired or retained by health agencies, directly relating to at least one associated function or activity.

Importantly, there must be a clear purpose for collecting the information, and this should be relayed to the individual by an appropriate collection notice, detailing the intended use and/or disclosure of their personal information. Personal information about an individual should be collected directly from that individual where possible; however this may depend on the situation, such as whether the individual is capable of providing information at the time.

Health agencies should only request the necessary information they require in a form that is fair and not intrusive, and by a process which is not unlawful. To target only the specific personal information that they require, the collection method should be structured to ensure that a vast amount of personal information is not collected for general purposes.

When an individual is disclosing personal information, NPP 1(3)(f) requires health agencies to advise an individual of the consequences if part or all of the information requested is not provided.

Purposes for use of personal information

The purpose of collecting personal information will often have a basis in law and legislation may regulate the procedure in which the information may be collected. It is the responsibility of the health agency to clearly advise the individual about the function and purpose which the personal information will fulfill within that agency. Health agencies should also be aware that there may be limitations or prohibitions that protect the collection or use, once collected, of certain types of personal information. Requesting prohibited information or other personal information of no use to the health agency will be a breach of NPP 1.

Solicited and unsolicited information

Solicited information is information from an individual when responding to a request or opportunity from a health agency to provide information through, for example:

• a complaint form
• an application form; and/or
• a voluntary survey.

Unsolicited information is collected when an individual provides more personal information than was requested by a health agency. The NPPs apply equally to the collection of both solicited and unsolicited personal information, however there are strict procedures that health agencies should undertake when dealing with unsolicited information, including:

• storing unsolicited information separately from information regularly used by the health agency
• checking the Public Records Act 2002 (Qld) to determine if the health agency is required to retain the unsolicited information in accordance with the disposal and retention schedule; and
• if the health agency is not required to retain the information, then the health agency may return the information or destroy it, upon either legal advice or advice from the State Archivist.