Survey tools are routinely used by agencies to collect information for the improvement of programs and to inform development and service planning.
The Information Privacy Act 2009 (Qld) (IP Act) sets out obligations to ensure that the privacy of the personal information that Queensland Government agencies collect is protected. This guideline sets out the privacy considerations of conducting a survey.
Taking the ‘personal’ out of personal information
Personal information is any information about an individual whose identity is apparent or can reasonably be ascertained.1 If the survey does not collect information about reasonably identifiable individuals, it presents no privacy concerns.
It is a myth that surveys which do not ask for the respondent’s name are anonymous. You should not assume that just because the survey does not record the participants’ names that their participation is automatically anonymous. Individuals can be identifiable from information other than their name. For example, an individual’s identity may be ‘reasonably ascertainable’ where:
- the survey responses can be linked with other information – for example, if a survey of employees asks for the respondent’s position title and how long they have been working for the agency, this information could be linked with the agency’s personnel records to reveal a respondent’s identity
- the combination or precision2 of demographic characteristics, such as gender, age, occupation and indigenous status is sufficiently unique to identify a respondent; or
- the survey provides a free text option – as the agency has limited control over what text is entered, it may collect information that identifies the respondent or another individual.
Designing the survey
Broadly put, the collection obligations are:
- Collect only what personal information is relevant3.
- Do it lawfully, fairly, and so it is not an unreasonable intrusion4.
- Tell people why you are collecting their personal information, whether there is legislative authority for the collection, and who you will give it to (if it is your usual practice to give to an entity outside the agency)5.
Assessing what might be a ‘lawful and fair collection’ and a ‘not unreasonable intrusion upon the personal affairs of the individual concerned’ requires an agency to consider:
- how much information it is asking the individual for; and
- the methods it uses to ask the individual for the information.
The nature and amount of information being collected and the way in which it is collected should be able to be justified.
Tip: Collection notices
Providing a ‘collection notice’ to a respondent on commencement of the survey is a practical way to make them aware of how the agency will use and disclose their personal information.
A collection notice is a one-way communication that does not require that the individual agree with the content. As such, it does not constitute an agreement to their participation. However, where an individual has an element of choice in whether to participate in the survey—that is, the individual acts in a purely voluntary manner—it is arguable that the individual indicates their agreement through their choice to participate in the survey.
If the collection notice informs of the potential for publishing of the respondent's’ responses to a voluntary survey, then the participation of the respondent can also be taken as agreement for the publication of their responses.
However, caution needs to be taken with surveys that give respondents an option of providing a ‘free text’ response. While free text fields can encourage full and meaningful responses, it is this very flexibility that allows respondents to enter any text they wish, including the personal information of a third party. While the respondent themselves may have consented to the publishing of their response through their participation in the survey, any third party discussed in a free text field may not have provided agreement to their information being published; in fact, they may not even be aware of this until after the publishing has already taken place.
Distributing the survey
Two common methods of distributing a survey are to:
- promote its availability through established communication channels, such as the agency’s website or social media accounts; and
- use contact information (for example, email addresses) held by the agency.
Whether it is a breach of an agency’s privacy obligations to use existing contact information hinges on the purpose for which it collected this information in the first place—the primary purpose. Sometimes a ‘secondary purpose’ is actually part of the primary purpose. For example, conducting a trial of a product would entail collecting feedback on the product; the feedback is an integral part of the conduct of the trial and so it is part of the purpose as a whole.
Looking at the collection notice that was provided to the individual at the time of collecting their contact information can assist in determining whether the purpose of the survey is part of the primary purpose or a secondary use.
However, if the secondary purpose is distinct from the primary purpose—where it is a case of 'we got this data for this purpose but how good would it be to use it for something more than this'—then there is a secondary use and the agency will need to rely on one of the permitted exceptions to use personal information for a secondary purpose.
Two possible exceptions may be applicable to this circumstance.
The first exception6 is that the individual the subject of the personal information has expressly or impliedly agreed to the use of the information for the secondary purpose. The agency could send an email to customers asking them if they would consent to the agency using their email addresses to contact them about the potential secondary purpose, however this is in itself a secondary use.
Implied consent arises where consent may be reasonably inferred from the facts and circumstances of a particular situation. Reliance on implied consent always involves an element of risk. In general, there is a stronger presumption for implied consent where the individual concerned receives a clear benefit from the process and accordingly would not challenge the process that provided that benefit.
Here, the benefit is that the customer is given the opportunity to exercise a choice about the potential use of their email address for a service improvement exercise. However, implied consent is generally not reliable when dealing with a group of individuals, as the ‘law of averages’ would suggest that there will inevitably be some individuals who would not consent to the agency using their email address to contact them about the potential secondary use.
If an individual is contacted for the purpose of seeking their consent for participation in a survey and they decline to give their consent—the agency should respect this and no longer contact the individual for this purpose.
The second exception7 is that the other purpose is directly related to the purpose for which the information was obtained8. There must be a close association between the purpose for which the personal information was obtained and the purpose of the secondary use9. Looking at why the agency choose these particular individuals to receive the survey will assist in determining if the secondary purpose was closely associated with the primary purpose.
If an agency provides a service to an individual and it obtains and uses a contact email to deliver that service, it would be a ‘directly related secondary use’ to later contact the individual to obtain feedback on the service.
Online survey tools
The IP Act recognises that personal information can be particularly vulnerable when it passes outside of its jurisdiction. Section 33 of the IP Act states that an agency cannot transfer personal information outside Australia unless certain conditions are met.
Many of the popular online survey tools, such as SurveyMonkey and Google Forms, are provided by companies that are located overseas and/or use servers located outside Australia to store survey responses.
Also, if the agency intends to publish respondents’ survey responses online, for example, on a website or social media site, any personal information in the survey responses will potentially be accessible from outside Australia.
Section 33 sets out four circumstances in which an agency may transfer personal information out of Australia. The circumstances that are most likely applicable to conducting a survey are:
- where the individual the subject of the information agrees to the transfer10; or
- where the recipient of information is subject to privacy obligations equivalent to Queensland’s11.
Agreeing to the transfer
If a survey is voluntary, an agency can obtain the individual's agreement by making them aware of the potential for overseas transfer in the collection notice provided on commencement of the survey.
We are conducting this survey using SurveyMonkey, which means that the information collected in this survey will be transferred outside Australia and stored securely on SurveyMonkey's servers. By volunteering to complete this survey you agree to this transfer. You can find out more about how SurveyMonkey handles your personal information here12.
Agencies may not wish to impose conditions that could discourage respondents from participating in the survey. Designing a survey that does not collect personal information is a common method. Alternate options can include allowing respondents to provide feedback via email or telephone, or providing a downloadable version of the survey; this will enable individuals to exercise choice about how their personal information is handled.
Equivalent privacy regime
The twin operation of sub-sections 33(d)(i) and (iv) requires that personal information transferred overseas enjoys the same privacy protections as the information would have in Queensland. These protections include: collection and use of relevant personal information, security of storage and limits on secondary use and disclosure of personal information.
These protections are invariably set out in the terms of the contract for services. Determining an ‘equivalent privacy regime’ can be tricky. For highly particularised contracts that provide focussed cloud services, it is easier to demonstrate protection of the information. For ‘free’ and more generic services, their terms and conditions are usually geared around their commercial interests and may be set up to not limit the use of users’ personal information.
Tip: Reading terms and conditions
Before using an online survey tool, an agency should take reasonable steps to satisfy itself that the company which offers the tool will handle personal information appropriately.
Terms and conditions are not always easy to read as they can be long-winded, technically complex, and/or overly legalistic. However, if you know what to look for, you can easily get the information you are interested in. Here are a few pointers:
- Find the right section. While contract terms and conditions can be long, the ‘privacy’ section is usually only a few paragraphs and is often clearly titled with variations of ‘What personal information we collect’, ‘What we use it for?’, ‘Who we give it to’ and ‘How we protect your information’.
- How is the personal information going to be used? Check whether personal information will be used for other purposes. If additional uses are intended, look at whether there is an option to choose not to receive these services – such as an opt-out option.
- Will the personal information be given to someone else? Find out whether the personal information be shared with third parties and if so, for what purpose? Does the company use sub-contractors?
- How will the personal information be protected? Look for a description of the security measures that will be used to keep your personal information safe.
- 1 See section 12 of the IP Act for the full definition.
- 2 Such as collecting an individual’s age rather than age group.
- 3 Information Privacy Principle (IPP) 3 and National Privacy Principle (NPP) 1.
- 4 IPP 1 and NPP 1.
- 5 IPP 2 and NPP 1(3). NPP1(3) also requires that the collection notice include the identity of the health agency and how to contact it, the fact that the individual is able to gain access to the information they have provided, and the main consequences, if any, for the individual if all or part of the information is not provided.
- 6 IPP 10(1)(a) and NPP 2(1)(b).
- 7 IPP 10(1)(e) and NPP (1)(a).
- 8 For a health agency, the secondary purpose needs to be related to the primacy purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection.
- 9 For a health agency, NPP (1)(a) also requires that the individual would reasonably expect the health agency to use or disclose the information for the secondary purpose.
- 10 Section 33(a) of the IP Act.
- 11 Sections 33(d)(i) and 33(d)(iv) of the IP Act.
- 12 https://www.surveymonkey.com/mp/legal/privacy-policy/
Current as at: July 19, 2018