The Key Privacy Concepts guidelines explain important words and phrases used in the Information Privacy Act 2009 (Qld) (IP Act). They are intended to assist in the interpretation and application of the privacy principles in the IP Act.
The concepts of agreement and consent are not identical, but they are sufficiently similar that they can be explained together for the purposes of applying the IP Act. 'Agreement' will be used in this section but the principles apply equally to consent.
Agreement and consent are central to information privacy, which revolves around ideas of control over, and knowledge about, what is being done with an individual’s personal information.
An individual's agreement is not necessarily required to collect, use or disclose personal information. The privacy principles allow agencies to collect, use and disclose without agreement, but only in specific circumstances.
There are some essential factors that must be present for agreement to be valid. The individual has the capacity to agree and the the agreement is:
Whether these factors can be met will depend on the specific circumstances and the nature of the information and the individual.
An individual may not be capable of giving agreement. Factors such as age or physical or mental disability may prevent the individual from understanding the general nature and effect of giving or withholding agreement. An agency must be sure that the individual has the necessary capacity to understand what is being asked of them before it can rely on their agreement.
If the individual has an authorised representative who is willing to agree on their behalf, the agency needs to satisfy itself that they have the necessary authority.
Where the personal information is about a child or young individual, they may be able to agree to the use or disclosure of their personal information if they have sufficient maturity. If there is a question as to whether or not the individual has the capacity to make their own decisions, the below checklist should assist.
In order for the agreement to be valid, it must be freely given. An agency cannot:
In deciding if agreement is freely given, an agency should take into account:
any undesirable social consequences, such as embarrassment, if they refuse to agree.
In order for agreement to be valid, the agency must give the individual enough information to understand:
Providing incorrect or misleading information to the individual, whether deliberately or inadvertently, may render the agreement invalid.
Broad, sweeping statements seeking agreement, such as ‘I agree to the agency using or disclosing my personal information for any purpose’, are to be avoided because they do not give the individual a clear idea of what they are agreeing to. If the purported agreement is too broad then it may not be valid, and the agency may breach the IP Act if it relies on it.
The level of specificity required will depend on the circumstances and the sensitivity of the personal information. Generally, the more sensitive the information, or the more privacy-invasive the proposed use or disclosure, the narrower and more specific the agreement must be. Relevant factors include:
Additionally, an agency should not seek a broader agreement than is necessary for its purposes. It must have a clear understanding of what it needs to do with the personal information and phrase the agreement accordingly.
Where an agency asks an individual to agree to multiple unrelated uses or disclosures of their personal information, without giving the individual an opportunity to choose which of the uses and disclosures they agree to and which they don’t, the agency is bundling the agreement.
Bundling must be avoided. If an agency wishes to ask an individual to agree to multiple uses or disclosures of their personal information, they should address each use or disclosure separately, so the individual can indicate which they agree to and which they do not. This approach will help ensure that agencies do not breach the IPPs or the NPPs.
An agency seeks agreement to use an individual’s personal information for medical research, for direct marketing, and to disclose it to a third party marketing company to provide targeted advertising. The person cannot agree to the first purpose without agreeing to all the others. Particularly where one of the uses/disclosure is socially beneficial, people may be pressured to agree.
Agreement does not generally last forever. Agreement given at a particular time in particular circumstances cannot be assumed to continue indefinitely. When requesting agreement, an agency should advise the individual of the specified period for which it will be relied on. For example, if agreement is being sought to use the information in a project, the individual should be told how long the project is expected to run.
An agency must be sure that the agreement is current before relying on it. If more than six months have passed, an agency should not assume the agreement is still current.
An agency should tell the individual that their agreement can be withdrawn, and the practical effect of that withdrawal. Where an individual has agreed to the agency disclosing their personal information to a third party, withdrawal after the disclosure has taken place will not have any effect on the action already taken but will have effect on any future action.
Withdrawal of agreement does not require the agency to retrieve the information, as its disclosure was lawful at the time it occurred.
The agency might consider whether it could take reasonable steps to retrieve the information, or request the recipient to stop using it. Where the information was disclosed for a specific purpose that is ongoing, for example, a project, the agency might take reasonable steps to request that the information no longer be used by the third party for that purpose, if that is feasible.
The agency must tell the individual how they can withdraw their agreement, and must not create difficult or unnecessarily complex processes that might discourage people from doing so.
Agreement in the IP Act includes implied agreement. As a general rule, an agency should seek express agreement in writing. The more sensitive the personal information, or the more privacy invasive the use or disclosure, the stronger the case becomes for requesting express agreement. It is a risk to agencies to rely on implied agreement.
Whether an individual has impliedly agreed is an objective test, to be determined by a reasonable inference from the individual’s actions. Relying on implied agreement requires the agency to make a judgement about what an individual’s actions mean. Wrong decisions can lead to serious breaches of privacy, and if a complaint is made, the onus is on the agency to prove the implied agreement.
Agreement should not be inferred simply because:
However, where an individual has their Member of Parliament (MP), doctor, or solicitor write to an agency about a particular matter, an agency can assume that the individual impliedly agrees to the agency replying, including with any personal information about the person, to the MP, doctor, or solicitor.
A collection notice under IPP 2 or NPP 1(3) must not be confused with agreement. If someone is provided with a collection notice, an agency is advising the individual of what is going to happen to their personal information. The individual is not required to agree with the notice, or to give permission for it to happen.
Agreement is a voluntary arrangement between an agency and an individual. The agency asks the individual to allow it to deal with their personal information in a certain way, and the individual is free to grant or withhold that agreement. Agreement may be sought at the initial collection of information, but it should be kept separate from the collection notice.
In many situations where an agency collects personal information the individual has no real choice to refuse to provide the information.
If the person is seeking a licence, or applying for a job, they must provide certain personal information. The only choice they have to refuse to provide the personal information is to give up the right to apply for the licence or the job.
Current as at: July 19, 2013