The Key Privacy Concepts guidelines explain important words and phrases used in the Information Privacy Act 2009 (Qld) (IP Act). They are intended to assist in the interpretation and application of the privacy principles in the IP Act.
Disclosure as defined in the IP Act
Disclosure is defined in section 23(2) of the IP Act.
(2) An entity (the first entity) discloses personal information to another entity (the second entity) if—
(a) the second entity does not know the personal information, and is not in a position to be able to find it out; and
(b) the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and
(c) the first entity ceases to have control over the second entity in relation to who will know the personal information in the future.
The second entity does not know the personal information
Does not know
Section 23(2)(a) of the IP Act requires an agency to consider if the second entity, the person to whom personal information is being given, knows the personal information.
The Macquarie dictionary relevantly defines know as:
- to be cognisant or aware of; to be acquainted with (a thing, place, person, etc.), as by sight, experience, or report
- to be cognisant or aware, as of some fact, circumstances, or occurrence; have information, as about something.
Therefore the second entity must not be aware of the personal information in question. If an agency intends to supply personal information to another entity on the grounds that the second entity already knows it, the agency must have evidence before it which is sufficient for it to rely on.
An agency officer phones Individual A to give them some information about their application for flood relief and they are not home. The person who answers the phone, Person B, says that the officer can tell them, because they “know all about it”. The officer has no verifiable evidence that Person B does, in fact, know about the matters and so should not give Person B the information to pass on. A message to return the officer’s call is all that should be left
If, however, the application was the joint application of Individual A and Person B, then the officer could be satisfied that Person B knew the personal information of Individual A, and so telling them would not be a disclosure.
Is not in a position to be able to find it out
Section 23(2)(a) of the IP Act also requires an agency to consider if the second entity is in a position to be able to find out the personal information.
This requires more than the ability to ask the individual for the information. There must be something in the relationship between the second entity and the personal information, or the individual the personal information is about, that would allow the second entity to definitely be able to acquire it through other means than receiving it from the first agency.
Agency A and Agency B lawfully have joint access to the same database which contains personal information. Agency A’s computer network is down and so they are temporarily unable to use their access rights and there is an urgent need for information about Person X. Agency B could search the database for that information and provide it to Agency A without it being a disclosure, as Agency A has the ability to find that information about, but their ability is temporarily hindered.
Generally – except where providing a copy of the information the second entity provided to the first entity – if the second entity knows the information, or is in a position to acquire it through other means, then the first entity should allow the second entity to use the information they have, or to acquire it in another way.
The first entity gives the second entity the information
Section 23(2) of the IP Act provides that an agency (the first entity) discloses information if it gives it to anyone else (the second entity) or places the second entity in a position to find it out.
The first entity gives the second entity personal information when it actively provides it to the second entity, whether deliberately or by accident.
The first entity places the second entity in a position to be able to find out personal information when it does nothing to prevent a second entity from finding out the personal information. This will most often happen by way of an omission, for example, by failing to properly secure personal information.
The first entity ceases to control the personal information
The first entity ceases to have control over the second entity if it has no legal means or method by which to compel the second entity to deal with the personal information in a given way, for example:
- forbidding the second entity to use the information
- forbidding it to give it to any other entity
- requiring its return or destruction.
If the first entity has no power to control the second entity in relation to the personal information, then it has no power to control who will know the personal information.
Current as at: July 19, 2013