QPP 4 - Dealing with unsolicited personal information

Overview

All Queensland government agencies¹ must handle personal information in accordance with the Queensland Privacy Principles (QPP) in the Information Privacy Act 2009 (Qld) (IP Act).

This guideline is based on and includes material from the Australian Privacy Principle guidelines developed by the Office of the Australian Information Commissioner.

What is personal information?

Section 12 of the IP Act provides that personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information is true or recorded in a material format.

The individual does not need to be directly identified in the information for it to be personal information. It is sufficient if they can reasonably be identified by reference to other information.

Refer to Key privacy concepts – personal and sensitive information for more information.

QPP 4 – Unsolicited personal information

All personal information acquired by an agency is either solicited or unsolicited personal information. QPP3 governs the collection of solicited personal information.

Unsolicited personal information is personal information received by an agency that the agency took no active steps to collect. It is information that someone gives or sends to an agency at their own instigation, for example a petition from a community member that includes their personal information and the personal information of the signers.

Under QPP4, when agencies receive unsolicited personal information they must decide whether, if the agency had solicited it, it could have been collected under QPP 3.

If the agency would not have been permitted to collect, it under QPP 3—and the information is not contained in a public record²—the agency must destroy or deidentify the information as soon as practicable if it is lawful and reasonable to do so.

The agency must destroy or deidentify the unsolicited personal information as soon as practicable if:

• it would not have been permitted to collect the personal information under QPP 3, and
• it is not contained in a public record
• if it is lawful and reasonable to do so.

All unsolicited personal information retained by the agency must be dealt with it in accordance with QPPs 5-13.

What is unsolicited personal information

Personal information received by an agency is either solicited or unsolicited. Unsolicited personal information must be dealt with in accordance with QPP 4, which means an agency must first identify whether the information was solicited or unsolicited.

As noted above, personal information is unsolicited if the agency took no active steps to collect it. Examples of unsolicited personal information include:

• misdirected mail received by an agency
• correspondence sent to agencies from members of the community or other unsolicited correspondence sent to an agency
• a petition sent to an agency that contains names and addresses
• an employment application sent to an agency on an individual’s own initiative and not in response to an advertised vacancy
• a promotional flyer containing personal information, sent to an agency by an individual promoting the individual’s business or services.

As a general rule, if an agency requests certain personal information and the person they requested it from provides additional personal information, beyond what the agency asked for, the additional personal information should be treated as unsolicited. For example:

• if an individual completes an application form provided by an entity but chooses to attach financial records the agency did not ask for, the records would generally be unsolicited personal information; or
• if an agency requests an individual’s medical records about a specified injury from another entity, and the entity provides all of the individual’s medical records, the records that do not relate to the specified injury would generally be unsolicited personal information.

Where it is unclear whether personal information is solicited or unsolicited, agencies should focus on the nature of the additional personal information and the connection it has with the agency’s request. If the agency cannot decide, it is generally safest to treat the personal information as unsolicited personal information and destroy or deidentify it if it is lawful and reasonable to do so.

Determining what to do with unsolicited personal information

If an agency decides that personal information it receives is unsolicited, it must identify what QPP 4 requires.

The first step is for the agency to determine:

• Is the personal information contained in a public record?
• Would QPP 3 have permitted the agency to collect the personal information?

QPP 4 states that this must be done within a reasonable period after receiving the information. The length of time that constitutes within a reasonable period will depend on the circumstances. The agency can undertake any internal processes necessary to make its determination, but it should do so as promptly as possible.

QPP 3 permits use or disclosure of unsolicited personal information to the extent necessary to determine if the agency could have collected it under QPP 3 or if it is contained in a public record.

Contained in a public record

Information will be contained in a public record if it meets the definition in section 6 of the Public Records Act 2023 (Qld). Public records must be retained, and can only be disposed of, in accordance with the relevant Retention and Disposal Schedule issued by the State Archivist.³

If information is contained in a public record, the agency does not need to consider whether it could have been collected under QPP 3. The information must be retained and handled in accordance with QPPs 5-13 and the Public Records Act 2023 (Qld) and must not be destroyed or deidentified.

Collectable under QPP 3

The QPP 3 – Collection of solicited personal information guideline will assist agencies in determining if unsolicited information could have been collected under QPP 3, but essentially QPP 3 requires:

• that the personal information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities
• that it must be collected directly from the individual unless QPP 3 provides otherwise
• where the information is sensitive information, it must be collected from the individual unless QPP 3 provide otherwise.

It the agency determines that it could have collected the personal information under QPP 3, the agency may keep the personal information. If it keeps it, the personal information must be handled in accordance with QPPs 5-13.

If the agency determines that unsolicited personal information is not a public record and could not have been collected under QPP 3, it must determine if the information can be deidentified or destroyed.

Destruction or deidentification of unsolicited personal information

Once an agency determines that unsolicited personal information could not have been collected under QPP 3 and is not a public record, it must determine if it is lawful and reasonable to destroy or deidentify the personal information.

Lawful destruction or deidentification

It will be lawful for an agency to destroy or deidentify unsolicited personal information if doing so is not criminal, illegal, or prohibited or proscribed by law (i.e., unlawful). Unlawful activity does not generally include breach of a contract.

Destruction will not be lawful where:

• an Act or Regulation requires the agency to retain the personal information; or
• a court, tribunal, or body with legal power to issue binding orders has made an order requiring the personal information to be retained for a specified purpose or period.

It is important that agency officers dealing with unsolicited personal information are aware of and, where needed, make the necessary inquiries to identify any legal rules or orders that would make it unlawful to destroyed or deidentify the information.

If destruction or deidentification is lawful, the agency must determine if doing so would be reasonable.

Reasonable to destroy or deidentify

Whether destruction or deidentification will be reasonable is a question of fact to be determined in each individual situation. It is an objective standard, having regard to how a reasonable person who was properly informed would be expected to act in the circumstances.

Relevant considerations can include:

• the amount and sensitivity of the personal information
• whether unsolicited personal information is entwined with solicited personal information in way that would be difficult, impractical, or impossible to separate
• any request from a law enforcement agency to retain the unsolicited pending completion of an investigation
• if the agency considered a range of options for destroying or deidentifying the personal information
• any request from the individual that the agency retain or return the personal information
• if destruction or deidentification of all the information is unreasonable in a short timeframe, whether it could be undertaken in stages; and
• the practicability, including time and cost involved. However, an agency cannot avoid destroying or deidentifying the personal information only because it would be inconvenient, time-consuming or impose some cost. Whether these factors make it unreasonable to destroy or deidentify personal information will depend on whether the burden is excessive in all the circumstances.

These and other relevant considerations should be applied cautiously. Before deciding that unsolicited personal information cannot reasonably be destroyed or deidentified, agencies should examine all viable options for doing so. For example, if solicited and unsolicited personal information is intertwined, agencies could consider whether it is practicable to create a new document containing only the solicited personal information, allowing the original to be deidentified or destroyed.[4]

As soon as practicable

Once an agency has decided that it is both lawful and reasonable to destroy or deidentify unsolicited personal information, the agency must do so as soon as practicable.

A practicable timetable can take technical and resource considerations into account, along with the time it takes to make necessary internal or external inquiries. However, it is the agency’s responsibility to justify any delay in destroying or deidentifying unsolicited personal information.