Key privacy concepts - use and disclosure

Overview

Under the Information Privacy Act 2009 (Qld) (IP Act), agencies must comply with the Queensland Privacy Principles (QPPs).

The Key Privacy Concepts guidelines are intended to assist agencies by explaining important words and phrases used in the QPPs, the IP Act, and the Right to Information Act 2009 (Qld) (RTI Act).

Use as defined in the IP Act

Section 23(2) of the IP Act provides that an agency uses personal information if it:

  • manipulates, searches, or otherwise deals with the personal information; or
  • takes the information into account in the making of a decision; or
  • transfers the information from a part of the entity having particular functions to a part of the entity having different functions.

However, as set out in 23(3), this is not an exhaustive list. There are very few actions an agency can take in relation to personal information that will not be a use.

One significant exception is disclosure. Under 23(4), a use can never be a disclosure.

Disclosure as defined in the IP Act

Section 23(1) of the IP Act provides that an agency1 discloses personal information if it gives personal information to a second entity or places it in a position to find it out and:

  • the second entity does not already know it and is not in a position to find it out on their own; and
  • the agency ceases to have control over who will know the personal information in the future.

The second entity does not know the personal information

To be a disclosure, the second entity must not already know the personal information or be in a position to find it out.

It is not sufficient to assume the second entity knows the personal information, or they are likely to be aware of it. Agencies must have evidence that the second entity actually knows the information before relying on that knowledge to decide giving it to them is not a disclosure.


Example

An agency officer phones Individual A to give them some information about their application for flood relief, but they're not home. Person B answers the phone and says the officer can tell them, because they “know all about it”. The officer has no verifiable evidence that Person B does, in fact, know all about it, which means they can't determine if giving the information to Person B would be a disclosure.

However, if the application had been jointly made by Individual A and Person B, the officer could be satisfied that Person B knew the personal information of Individual A, and so telling them would not be a disclosure.

And is not in a position to find it out

If the second entity does not know the personal information, agencies need to consider if they are in a position to be able to find it out.

It is not sufficient that the second entity can ask the individual for the information. There must be something in the relationship between the second entity and the personal information or the individual that means the second entity has the power to acquire it through other means.

However, if the second entity is in a position to acquire the information through other means, agencies should consider whether it is more appropriate for the second entity to acquire it in that other way.

Gives or places in a position to find out

To be a disclosure, the agency must give personal information to the second entity or place the second entity in a position to find it out.

An agency gives personal information to the second entity when it communicates it to them directly, for example by emailing it or providing it verbally over the phone.

An agency places the second entity in a position to find personal information out when the agency does something with the entity or the personal information that allows the entity to discover it, for example:

  • the agency publishes personal information on its website
  • the agency gives a third party access to a database of personal information; or
  • the agency fails to properly secure its systems, which allows someone to access personal information.

Ceases to control who will know the personal information

Disclosure also requires that, once the second entity has the personal information or is in a position to find it out, the agency ceases to have control over who will know it in the future.

The agency ceases to have control if it has no right or power to determine or influence how the second entity will deal with the personal information. For example, the agency must not be able to:

  • prevent the second entity from using the information
  • prevent the second entity from giving it to any other entity
  • require it to be stored or secured in a particular way; or
  • require its return or destruction.

If the agency does have the power to control how the second entity handles or deals with the personal information, then giving it to the second entity is not a disclosure.

  • 1 Section 23(2) refers to the first entity and second entity, but in this guideline the first entity is referred to as the agency.

Current as at: July 1, 2025