Key privacy concepts - consent

Overview

The Key Privacy Concepts guidelines are intended to assist agencies to comply with the Queensland Privacy Principles (QPPs) by providing a guide to key words and phrases used in the QPPs.

Consent

Consent is central to information privacy, which involves control over and knowledge about what is being done with an individual’s personal information.

The QPPs do not automatically require agencies to obtain consent before they can collect, use, or disclose personal information, but it can be an important element in QPP compliance.

As far as practicable, agencies should implement procedures and systems to obtain and record consent. This may assist to resolve any future question of whether the agency obtained consent.

Elements of consent

Consent in the QPPs means express or implied consent. The four key elements of consent are:

• the individual is adequately informed before giving consent
• the individual gives consent voluntarily
• the consent is current and specific, and
• the individual has the capacity to understand and communicate their consent.

Whether these requirements can be met will depend on the specific circumstances and the nature of the information and the individual.

Express or implied consent

Express consent means consent was explicitly given, for example, orally or in writing. It could include a handwritten signature, an oral statement or statement given in sign language, or use of an electronic medium or voice signature to signify consent.

Implied consent arises where an individual's consent can reasonably be inferred from the conduct of the individual and the agency.

As a general rule, agencies should seek express consent rather than relying on implied consent. It can be a risk to rely on implied consent, and the more sensitive the personal information or privacy invasive the circumstances, the stronger the case becomes for requesting express consent.

Whether an individual has impliedly consented is an objective test, to be determined by a reasonable inference from the individual’s actions. Relying on implied consent requires the agency to make a judgement about what an individual’s actions mean. Wrong decisions can lead to serious breaches of privacy, and if a complaint is made, the onus is on the agency to prove the implied consent.

Inferring consent

Generally, an individual’s silence should not be taken as consent. While there may be exceptions, it should not be assumed that an individual gave consent just because they did not object to, for example, notice of a proposed collection, use or disclosure.

Additionally, consent should not be inferred simply because:

• most people have consented to the same use or disclosure
• the agency believes the benefit to the individual of consenting means they would consent if asked
• the individual has consented in the past; or
• the circumstances involve the individual's spouse or family member.

For example:

• If an individual appeals to an agency that handles complaints, that agency should not assume the individual would consent to it disclosing personal information to the agency’s State or Territory counterparts.
• An agency should not assume that because an application for a particular benefit consents to their referee knowing some personal information about them, they consent to all related information being disclosed to the referee. An agency can only assume an individual consents to the extent that there is conclusive evidence of consent.

If an individual’s intentions are ambiguous or there is reasonable doubt about the individual’s intention, consent must not be assumed.

Opt-out mechanisms

Use of an opt-out mechanism to infer an individual’s consent will only be appropriate in limited circumstances, as the individual’s intention in failing to opt-out may be ambiguous.

An agency will be in a better position to establish implied consent where, relevantly:

• the opt out option was clearly and prominently presented
• it is likely that the individual received and read the information about the proposed collection, use or disclosure, and the option to opt out
• the individual was given information on the implications of not opting out
• the opt out option was freely available and not bundled with other purposes
• it was easy for the individual to exercise the option to opt out, for example, there was little or no financial cost or effort required by the individual
• the consequences of failing to opt out are not serious; and
• an individual who opts out at a later time will, as far as practicable, be placed in the position as if they had opted out earlier.

Capacity

An agency must be sure an individual has the necessary capacity before it can rely on their consent. An individual has the capacity to consent if they are capable of understanding the nature of a consent decision, including the effect of giving or withholding consent, forming a view based on reasoned judgement and how to communicate a consent decision.

An agency can generally presume an individual has the capacity to consent unless there is something to alert it otherwise, for example, the individual is a child or young person (see below). If an agency has doubts about whether an individual has capacity to consent at a particular time, it should not rely on any statement of consent given by the individual at that time.

Issues that could affect an individual’s capacity to consent include:

• age
• physical or mental disability
• temporary incapacity, for example during a psychotic episode, a temporary psychiatric illness, or because the individual is unconscious, in severe distress or suffering dementia; or
• limited understanding of English or other languages available to the agency.

Agencies should consider whether capacity issues can be overcome by giving the individual support to enable them to have capacity to consent, such as using an interpreter or offering alternative communication methods.

If an individual does not have capacity to consent, even with support or the provision of additional resources, and consent is required, an entity should consider who can act on the individual’s behalf. Options include:

• a guardian
• someone with an enduring power of attorney
• a person recognised by a relevant law, eg section 5 of the Permitted General Health Situations in schedule 4 of the IP Act; or
• a person who has been nominated in writing by the individual while they were capable of giving consent.

If the individual has an authorised representative who is willing to consent on their behalf, the agency needs to satisfy itself that they have the necessary authority.

Children and young people

The IP Act does not specify an age at which individuals can make their own privacy decisions. Agencies will need to determine on a case-by-case basis whether an individual under the age of 18 has the capacity to consent.

As a general principle, an individual under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person, for example, if the child is young or lacks the maturity or understanding to do so themselves.

Voluntary

Consent is voluntary if an individual has a genuine opportunity to provide or withhold consent. Consent is not voluntary where there is duress, coercion or pressure that could overpower the person’s will.

Factors relevant to deciding whether consent is voluntary include:

• the alternatives open to the individual, if they choose not to consent
• the seriousness of any consequences if an individual refuses to consent; and
• any adverse consequences for family members or associates of the individual if the individual refuses to consent.

An agency cannot trick someone into consenting, require consent before allowing an individual to exercise a right, or threaten to sanction or penalise the individual if consent is not given.

Bundled consent

Where an agency asks an individual to consent to multiple unrelated uses or disclosures of their personal information, without giving the individual an opportunity to choose which of the uses and disclosures they consent to, the agency is bundling the consent.

Bundling must be avoided. If an agency wishes to ask an individual to consent to multiple uses or disclosures of their personal information, they should address each use or disclosure separately, so the individual can indicate which they consent to and which they do not. This approach will help ensure that agencies do not breach the QPPs.

Informed

For consent to be valid, it must be informed. When seeking consent, agencies should ensure the individual has enough information to understand:

• what personal information is to be collected, used or disclosed
• for what purpose or purposes
• who the information is being given to, any person or body they will pass it on to, and what use the recipient(s) will make of the information
• the consequences of consenting; and
• the consequences of refusing consent.

This should be communicated in plain language, without legal or industry jargon. Providing incorrect or misleading information to the individual, whether deliberately or inadvertently, may render the consent invalid.

Be specific

Broad, sweeping statements seeking consent, such as ‘I consent to the agency using or disclosing my personal information for any purpose’, are to be avoided because they do not give the individual a clear idea of what they are consenting to. If the purported consent is too broad then it may not be valid, and the agency may breach the IP Act if it relies on it.

The level of specificity required will depend on the circumstances and the sensitivity of the personal information. Generally, the more sensitive the information, or the more privacy-invasive the proposed use or disclosure, the narrower and more specific the consent must be. Relevant factors include:

• the nature of the personal information
• the proposed use or disclosure; and
• for disclosure, the identity of the recipient, including any privacy restrictions that apply to it and the recipient’s level of accountability.

Additionally, an agency should not seek a broader consent than is necessary for its purposes. It must have a clear understanding of what it needs to do with the personal information and phrase the consent accordingly.

Currency of consent

Consent does not generally last forever; consent given at a particular time in particular circumstances cannot be assumed to endure indefinitely.

When requesting consent, it is good practice to inform the individual of the period for which the consent will be relied on in the absence of a material change of circumstances. For example, if consent is being sought to use the information in a project, the individual should be told how long the project is expected to run.

An agency must be sure that consent is current before relying on it.

Revocation of consent

Agencies should tell individuals that they can withdraw their consent and how to do so, and must not create difficult or unnecessarily complex processes that might discourage people from doing so. They should advise of any consequences which will arise from its withdrawal.

Where an individual has consented to the agency disclosing their personal information to a third party, withdrawal after the disclosure has taken place will not have impact the actions already taken but will limit any future action. Withdrawal of consent does not require the agency to retrieve the information, as its disclosure was lawful at the time it occurred.

QPP 5 matters versus consent

When collecting personal information, QPP 5 requires agencies to take reasonable steps to inform people of relevant matters listed in QPP 5. This must not be confused with consent.

Consent is a voluntary arrangement between an agency and an individual. The agency asks the individual to allow it to deal with their personal information in a certain way, and the individual is free to grant or withhold that consent.

Under QPP 5, an agency is telling the individual what will happen to their personal information. They are not asking for the individual's permission. Consent may be sought at the initial collection of information but should be kept separate from the QPP 5 matters.