Key privacy concepts - agreement and consent
The Key Privacy Concepts guidelines explain important words and phrases used in the Information Privacy Act 2009 (Qld) (IP Act). They are intended to assist in the interpretation and application of the privacy principles in the IP Act.
Agreement and consent
The concepts of agreement and consent are not identical, but they are sufficiently similar that they can be explained together for the purposes of applying the IP Act. 'Agreement' will be used in this section but the principles apply equally to consent.
Agreement and consent are central to information privacy, which revolves around ideas of control over, and knowledge about, what is being done with an individual’s personal information.
An individual's agreement is not necessarily required to collect, use or disclose personal information. The privacy principles allow agencies to collect, use and disclose without agreement, but only in specific circumstances.
Privacy principles that refer to agreement or consent
- IPP 10(1)(a)
- IPP 10(1)(f)(iii)
- IPP 11(1)(b)
- IPP 11(1)(f)(iii)
- IPP 11(4)(a) (consent)
- NPP 2(1)(b) (consent)
- NPP 2(1)(c)(i)
- NPP 2(3)(a)
- NPP 2(3)(c)
- NPP 2(5)(a) (consent)
- NPP 9(1)(c)
- NPP 9(3)(c)
- Section 33(a)
Elements of agreement
There are some essential factors that must be present for agreement to be valid. The individual has the capacity to agree and the the agreement is:
- specific; and
Whether these factors can be met will depend on the specific circumstances and the nature of the information and the individual.
An individual may not be capable of giving agreement. Factors such as age or physical or mental disability may prevent the individual from understanding the general nature and effect of giving or withholding agreement. An agency must be sure that the individual has the necessary capacity to understand what is being asked of them before it can rely on their agreement.
If the individual has an authorised representative who is willing to agree on their behalf, the agency needs to satisfy itself that they have the necessary authority.
Where the personal information is about a child or young individual, they may be able to agree to the use or disclosure of their personal information if they have sufficient maturity. If there is a question as to whether or not the individual has the capacity to make their own decisions, the below checklist should assist.
- What are the privacy principles or complaint mechanisms that are relevant to the information handling conduct?
- Does the person have the capacity to exercise their entitlements under the privacy principles and the privacy law (including the complaints mechanism) in relation to the conduct?
- Has the person been given an opportunity to express their views or opinions about how their personal information is handled?
- Has the person been provided with support that is appropriate to their capabilities and their cultural and linguistic background, to enable them to be involved in a decision about the conduct?
- Has the person previously expressed a view or wish about the conduct of which the agency is aware or could reasonably make itself aware?
- Is there any reason why the person’s current wishes or previously expressed wishes cannot be followed?
- Is it possible to seek the views or consent of the person’s representative? If so, how was the person’s representative identified?
- Have the views or consent of the representative been considered?
- Have all other relevant criteria been assessed and considered before making a final decision about what happens to the person’s information?
In order for the agreement to be valid, it must be freely given. An agency cannot:
- trick someone into agreeing
- require agreement before allowing an individual to exercise a right
- threaten to sanction or penalise the individual if agreement is not given.
In deciding if agreement is freely given, an agency should take into account:
- the extent to which the individual the information is about can influence the way in which an agency handles the information
- the alternatives open to the individual the information is about if they choose not to agree
- any serious financial consequences (judged from what the agency can reasonably infer from the circumstances of the individual the information is about) that could flow from refusing to agree
any undesirable social consequences, such as embarrassment, if they refuse to agree.
In order for agreement to be valid, the agency must give the individual enough information to understand:
- what personal information is to be collected, used or disclosed
- for what purpose or purposes
- who the information is being given to, any person or body they will pass it on to, and what use the recipient(s) will make of the information
- the consequences of agreeing; and
- the consequences of refusing agreement.
Providing incorrect or misleading information to the individual, whether deliberately or inadvertently, may render the agreement invalid.
Broad, sweeping statements seeking agreement, such as ‘I agree to the agency using or disclosing my personal information for any purpose’, are to be avoided because they do not give the individual a clear idea of what they are agreeing to. If the purported agreement is too broad then it may not be valid, and the agency may breach the IP Act if it relies on it.
The level of specificity required will depend on the circumstances and the sensitivity of the personal information. Generally, the more sensitive the information, or the more privacy-invasive the proposed use or disclosure, the narrower and more specific the agreement must be. Relevant factors include:
- the nature of the personal information
- the proposed use or disclosure; and
- for disclosure, the identity of the recipient, including any privacy restrictions that apply to it and the recipient’s level of accountability.
Additionally, an agency should not seek a broader agreement than is necessary for its purposes. It must have a clear understanding of what it needs to do with the personal information and phrase the agreement accordingly.
Where an agency asks an individual to agree to multiple unrelated uses or disclosures of their personal information, without giving the individual an opportunity to choose which of the uses and disclosures they agree to and which they don’t, the agency is bundling the agreement.
Bundling must be avoided. If an agency wishes to ask an individual to agree to multiple uses or disclosures of their personal information, they should address each use or disclosure separately, so the individual can indicate which they agree to and which they do not. This approach will help ensure that agencies do not breach the IPPs or the NPPs.
An agency seeks agreement to use an individual’s personal information for medical research, for direct marketing, and to disclose it to a third party marketing company to provide targeted advertising. The person cannot agree to the first purpose without agreeing to all the others. Particularly where one of the uses/disclosure is socially beneficial, people may be pressured to agree.
Agreement does not generally last forever. Agreement given at a particular time in particular circumstances cannot be assumed to continue indefinitely. When requesting agreement, an agency should advise the individual of the specified period for which it will be relied on. For example, if agreement is being sought to use the information in a project, the individual should be told how long the project is expected to run.
An agency must be sure that the agreement is current before relying on it. If more than six months have passed, an agency should not assume the agreement is still current.
An agency should tell the individual that their agreement can be withdrawn, and the practical effect of that withdrawal. Where an individual has agreed to the agency disclosing their personal information to a third party, withdrawal after the disclosure has taken place will not have any effect on the action already taken but will have effect on any future action.
Withdrawal of agreement does not require the agency to retrieve the information, as its disclosure was lawful at the time it occurred.
The agency might consider whether it could take reasonable steps to retrieve the information, or request the recipient to stop using it. Where the information was disclosed for a specific purpose that is ongoing, for example, a project, the agency might take reasonable steps to request that the information no longer be used by the third party for that purpose, if that is feasible.
The agency must tell the individual how they can withdraw their agreement, and must not create difficult or unnecessarily complex processes that might discourage people from doing so.
Agreement in the IP Act includes implied agreement. As a general rule, an agency should seek express agreement in writing. The more sensitive the personal information, or the more privacy invasive the use or disclosure, the stronger the case becomes for requesting express agreement. It is a risk to agencies to rely on implied agreement.
Whether an individual has impliedly agreed is an objective test, to be determined by a reasonable inference from the individual’s actions. Relying on implied agreement requires the agency to make a judgement about what an individual’s actions mean. Wrong decisions can lead to serious breaches of privacy, and if a complaint is made, the onus is on the agency to prove the implied agreement.
Agreement should not be inferred simply because:
- most people have agreed to the same use or disclosure
- the benefits to the individual of agreeing, in the agency’s opinion, means the individual would probably consent if asked
- the individual has agreed in the past
- the disclosure is to a spouse or family member
- the individual the information is about has not objected
- the use or disclosure seems advantageous to that individual.
- If an individual appeals to an agency that handles complaints, that agency should not assume the individual would agree to it disclosing personal information to the agency’s State or Territory counterparts. The agency must check with the person to see if this use or disclosure is acceptable.
- An agency should not assume that because an application for a particular benefit agrees to their referee knowing some personal information about them, they agree to all related information being disclosed to the referee. An agency can only assume an individual agrees to the extent that there is conclusive evidence of agreement.
However, where an individual has their Member of Parliament (MP), doctor, or solicitor write to an agency about a particular matter, an agency can assume that the individual impliedly agrees to the agency replying, including with any personal information about the person, to the MP, doctor, or solicitor.
Notice versus agreement
A collection notice under IPP 2 or NPP 1(3) must not be confused with agreement. If someone is provided with a collection notice, an agency is advising the individual of what is going to happen to their personal information. The individual is not required to agree with the notice, or to give permission for it to happen.
Agreement is a voluntary arrangement between an agency and an individual. The agency asks the individual to allow it to deal with their personal information in a certain way, and the individual is free to grant or withhold that agreement. Agreement may be sought at the initial collection of information, but it should be kept separate from the collection notice.
In many situations where an agency collects personal information the individual has no real choice to refuse to provide the information.
If the person is seeking a licence, or applying for a job, they must provide certain personal information. The only choice they have to refuse to provide the personal information is to give up the right to apply for the licence or the job.
Current as at: July 19, 2013