All agencies - Obligations when collecting personal information

Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).

In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.

Under IPPs 1 and 3 and NPP 1(1) and (2), non-health agencies and health agencies have specific obligations when they collect personal information3. These include only collecting personal information needed for the agency's functions and doing so only in lawful, fair, and non-intrusive ways. Health agencies and non-health agencies each have additional obligations.

Collecting personal information

Personal information collection is a fundamental part of information privacy regulation. Significant amounts of personal information are collected by agencies and that collection must comply with the privacy principles. The primary considerations when collecting personal information are:

  • what information is needed to carry out the agency’s purpose?
  • can the purpose be achieved without collecting it?

If the answer to the second question is yes, then the information should not be collected.

The privacy principles

IPP 1—Collection of personal information (lawful and fair)

(1)  An agency must not collect personal information for inclusion in a document or generally available publication unless—

(a)  the information is collected for a lawful purpose directly related to a function or activity of the agency; and

(b)  the collection of the information is necessary to fulfil the purpose or is directly related to fulfilling the purpose.

(2)  An agency must not collect personal information in a way that is unfair or unlawful.

IPP 3—Collection of personal information (relevance etc.)

(1) This section applies to the collection by an agency of personal information for inclusion in a document or generally available publication.

(2) However, this section applies to personal information only if the agency asks for the personal information from any person.

(3) The agency must take all reasonable steps to ensure that—

(a)  the personal information collected is—

(i) relevant to the purpose for which it is collected; and

(ii) complete and up to date; and

(b)  the extent to which personal information is collected from the individual the subject of it, and the way personal information is collected, are not an unreasonable intrusion into the personal affairs of the individual.

NPP 1—Collection of personal information

(1)  A health agency must not collect personal information unless the information is necessary for 1 or more of its functions or activities.

(2)  A health agency must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

(4)  If it is reasonable and practicable to do so, a health agency must collect personal information about an individual only from that individual.

NPP 3—Data quality

A health agency must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.

Unsolicited personal information

Agencies often acquire personal information that they do not solicit.  This may be part of their function—for example, law enforcement agencies rely on reports from the public about potential breaches of the law—but all agencies will inevitably receive unsolicited personal information. For example, it may arrive when an:

  • agency asks for some personal information and the individual provides more than has been asked for; or
  • individual sends personal information to an agency that the agency has not asked for.

An agency does not breach the collection privacy principles when it receives unsolicited irrelevant personal information, because the collection principles do not apply to unsolicited personal information.

Dealing with unsolicited personal information

Generally, an agency cannot automatically destroy or return unsolicited personal information. This is because the Public Records Act 2002 (Qld) requires agencies to retain documents in accordance with retention and disposal schedules.  An agency will need to determine if information received is a public record before consideration is given to returning or destroying it.

If the agency is required to retain the information4, all reasonable steps must be taken to safeguard it, but if it is not relevant:

  • an agency should not take it into consideration in any decision making processes; and
  • if possible, it should be stored separately from information that is regularly used by agency staff.

Information must be necessary for a function or activity

An agency must have a clear purpose for collecting personal information. The purpose of collection should be specific, and it should relate to the current reason for collecting the information.

Collection notices

Refer to What to tell people when collecting personal information for more information about detailing the purpose for collection and what an agency must tell people when collecting information from them.

Agencies must comply with any legislation that deals with personal information collection, for example, an Act may require that information be provided, or it may regulate how it is dealt with. If an agency is collecting information under an Act, the Act will generally determine the purpose for collection.

Function or activity of the agency

The purpose the personal information is intended to fulfil must be directly related to one or more of the agency's functions or activities. An agency's functions and activities may be broadly defined under an Act and refined by regulation, departmental or Council policy, Ministerial direction or whole of government or policy.

Necessary to fulfil the purpose

The personal information being collected must be necessary for the function or activity the agency is undertaking.  It will only be necessary where the collection of the personal information directly helps to achieve that purpose and the purpose could not reasonably happen without the information.

Asking for irrelevant information will breach the privacy principles because it is not necessary for the functions or activities.  For example:

  • collecting information about a group of people when information is only needed about some of the people in the group
  • collecting a wide range of personal information when only specific facts are needed
  • recording unnecessary information where it is provided verbally—only relevant information should be written down
  • taking copies of identification (for example, a passport) where it is only necessary to see it; or
  • collecting unnecessary background or financial information.

Forms, questionnaires, interview questions and other tools for gathering personal information must be assessed against the purpose an agency is trying to fulfil, to ensure that they collect only necessary personal information and do not go further than is needed.

Unnecessarily recording identity

When collecting information, agencies should only collect identifying information where the identity of the individual is necessary to fulfil the purpose.

Collection must be lawful and fair

Health agencies must collect information by lawful and fair means and non-health agencies must not collect information in unlawful or unfair ways.

Collection must be lawful

For collection to be lawful, it must be done in accordance with the law and not be done in a way that breaches a law. This includes criminal, civil and common law. Unlawful collection includes:

  • any collection of personal information directly or indirectly prohibited by another law, eg restrictions on collecting specific information or collecting information in specific circumstances; and
  • where an agency has the power to collect the information, but it exercises the power improperly or exceeds the power.

Examples

  • Audio recording conversations or using listening devices may be contrary to the Invasion of Privacy Act 1971 (Qld).
  • Tax file number collection is subject to conditions in the Taxation Administration Act 1953 (Cth).

Collection will also be unlawful where the action of collecting the information breaches a law, for example where the collector trespasses to obtain it.

Collection must be fair

Collection of information will be fair if the agency is open and not misleading, and if the individual is not coerced or intimidated into providing information against their will. When collecting personal information, agencies must not:

  • mislead people about the confidentiality of information
  • misrepresent what it will do with the information
  • mislead people about who is collecting personal information, or why the information is being collected
  • make false or misleading claims about the consequences of not giving information
  • collect voluntary information as if it was compulsory, for example, by telling people that they are legally required to answer all questions on a form when some questions may be optional; or
  • obtain information by trickery, misrepresentation, deception or under duress.

Collection must not be unreasonably intrusive

Health agencies must not collect personal information in a way that is unreasonably intrusive. This obligation applies regardless of who the information is collected from.

For non-health agencies, the obligation only applies when information is collected from the individual it is about and is phrased as 'not intruding unreasonably on the individual's personal affairs'. Personal affairs refers to the individual's private or domestic life, and is not related to their work or business.

Do not intrude unreasonably

When an agency collects personal information, it may do so passively, eg by making a website form available, or actively, eg by interviewing an individual. Some active ways will inevitably intrude on the individual; the agency's obligation is to ensure this intrusion is not unreasonable.

When considering whether the collection intrudes to an unreasonable extent, the agency must consider:

  • how much information it is asking the individual for; and
  • the methods it uses to collect the information.

Generally, it will be necessary to consider why the information is being collected to determine if the intrusion is unreasonable.

The extent to which the collection is unreasonably intrusive will depend on the extent to which it is relevant and necessary for the purpose the agency is trying to achieve. If it is irrelevant or unnecessary, even the most minor of intrusions may be unreasonably intrusive.

Complete, up to date, and relevant for the purpose

Agencies must ensure that, when collected, personal information is is up to date and complete. Non-health agencies must also ensure it is relevant for the purpose it was collected.

Non-health agencies - relevant for the purpose

A non-health agency must not ask for any irrelevant or extra information, or information it would be against the law to use.  It must not collect information about a group of people when it only needs to know information about some of them.

The personal information an agency asks for must relate to its reasons for asking, and it must ensure that its collection methods are designed to only capture relevant information.

Example – trigger questions

If an agency uses one form for several purposes, care must be taken to capture only the information relevant for each purpose, for example, by using trigger questions, such as:

Question 1: Are you applying for this travel allowance because you have a disability?

If yes, go to Part 2; if no, go to question 2.

Question 2: Are you applying for this travel allowance because you are a sole parent?

If yes, go to Part 3; if no, go to question 3.

Question 3: Are you applying for this travel allowance because you are a full time student living away from home?

If yes, got to Part 4; if no, you are not eligible for this benefit.

Each of the various allowances is dealt with in a separate part of the form, and the person completing it is directed only to the relevant part by the trigger questions.  In this way, the agency can use a multi-purpose form but only collect relevant information.

Complete and up to date

Up to date

Some personal information can become outdated, while some will not change. For example, an individual’s email address may change regularly while their date of birth will never change.  Collecting information directly from the individual will help ensure it is up to date. If it is collected from someone else, that person’s reliability should be assessed as part of deciding whether the information is up to date.

Complete

Personal information will be complete when it provides an entire picture or story, but the agency should only consider the circumstances relevant to the purpose of collection. For example, if an agency asks an individual if they have ever been charged with an offence, but does not ask if they were prosecuted and, if so, what the outcome was, then it may not have collected complete information, depending on the purpose of collection.

Agencies need to know all relevant facts in order to make good decisions, but they must also ensure they do not collect too much information. How much information is necessary to give the agency a complete picture will depend on the circumstances and the reason why the agency is collecting it.

Example

If a benefit is available to married people the agency only needs to know if applicants are currently married, not if they have ever been divorced. While that information does give a complete picture of the applicant's married life, the agency does not need to know that for the purposes of assessing the person’s eligibility

Health agencies – where possible collection must be directly from the individual

Where it is reasonable and practicable, health agencies must collect personal information about an individual directly from the individual.

This will depend on the circumstances and involves balancing a number of possible factors including:

  • whether it is possible to collect the information directly from that individual
  • whether a reasonable individual might expect information about them to be collected directly or indirectly
  • how sensitive the information is
  • the cost of collecting directly rather than indirectly; and
  • the consequences for the individual if the information is collected indirectly rather than directly.

For example, it may be difficult to collect some information directly from an individual whose mental state is significantly impaired or compromised.  In this instance, a relative or carer may be able to assist, however consideration should also need to be given to other factors:

  • What is the nature of the information (ie its sensitivity)?
  • What are the consequences of not getting the information directly?
  • Is it appropriate to get that information directly at a later time when the individual’s mental state will be less impaired?
  • Would a reasonable individual expect that information about them would be collected indirectly in this circumstance?
  • 1 In this guideline, health agency includes a bound contracted service provider to a health agency.
  • 2 In this guideline, agency includes Ministers and bound contracted service providers to the agency.
  • 3 Any information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
  • 4 If an agency is not required to retain it, consideration should be given to disposing of it—either because it is not a public record or, if it is, in accordance with the relevant Retention and Disposal schedule—or returning it. Advice from internal public records staff or State Archives should be sought before doing so.

Current as at: September 19, 2019