Power of the Information Commissioner to waive or modify the privacy principles

Overview

Information privacy laws are intended to create a balance between giving people control over their personal information and ensuring that information is available to people in government who need it, when they need it, in order to enable the necessary operation of government and the provision of services to the public. 

However, information and the situations in which it is needed can be diverse and changeable. The ways in which the government may need to use and deal with the information it holds can be so varied that, in certain circumstances, the privacy principles are not a good fit. They may need to be changed, loosened, or replaced in order to ensure that the public interest is not compromised by:

• a situation not contemplated at the time the privacy principles were put in place, or
• a situation so unique that it simply does not fit within the privacy principles.

The Information Commissioner has the power under section 157 of the Information Privacy Act 2009 (Qld) (IP Act) to grant public interest approvals where the public interest in non-compliance is stronger than the public interest in compliance. The existence of this power helps to maintain the balance. 

Section 157 of the IP Act

Section 157 of the IP Act allows an agency or bound contracted service provider to apply to the Information Commissioner for approval to not comply with the privacy principles or to comply in a different way. This is referred to by the Office of the Information Commissioner (OIC) as a public interest approval. It will only be granted if the public interest in not complying with the privacy principles outweighs the public interest in compliance.

The application

It is important that an agency contact the OIC before making an application for approval. The Information Commissioner's staff can provide information to agencies on preparing applications, and give guidance on what may or may not be an appropriate subject for which to seek a public interest approval.

The privacy principles

The definition of privacy principles in schedule 5 of the IP Act includes:

• the Information Privacy Principles (IPPs)
• the National Privacy Principles (NPPs)
• the requirements in section 33 of the IP Act with regards to transferring personal information outside of Australia
• the obligations with regard to contracted service providers in part 4 of chapter 2 of the IP Act.

Who can apply

An agency under section 35 of the IP Act may apply for approval to waive or modify one or more of the privacy principles. 

Only the agency which is proposing to do the act which requires the Information Commissioner's approval can apply. However, where several agencies wish to perform the same act and need the same waiver or modification of the privacy principles, for example, because of a similarity of functions or because of participation in an interagency project, they may apply together.

Details of the application and proposed approval

An application must be accompanied by a detailed plan of the action the agency wants to take and the steps it will follow to ensure the privacy interests of individuals are protected. A Privacy Impact Assessment may assist in preparing this plan. The approval should only go as far as is necessary to allow the function or activity the agency wishes to undertake. For example:

• the agency should not seek an approval to not follow IPPs 1 to 3 in relation to all its activities, when it only needs the exemption in relation to a specific project
• an agency should not seek an indefinite approval when the activity for which it is seeking it will only last for a set amount of time. 

The agency must explain in detail why the public interest in non-compliance outweighs the public interest in compliance and provide any evidence it has to support its claims.

It is important to bear in mind that an application for a public interest approval should not seek to detract from the privacy rights and protections afforded to individuals, nor should a public interest approval be sought in order to overcome a perceived hindrance caused by the privacy principles.

If applying for a modification, the agency must also set out the modified way in which it will comply with the privacy principles. If the agency is seeking an indefinite approval, it must make a strong case for why an approval for a set amount of time will not be sufficient. 

An agency's application for waiver or modification should include a proposed approval. A proposed approval should address all relevant issues, such as:

• identifying the privacy principles for which waiver or modification is sought
• providing a detailed and precise description of the personal information involved
• providing a detailed and precise description of the functions or activities involved
• identifying any class of individuals whose personal information will be affected by the approval
• setting out the details of any other agencies who are involved with, or which will be affected by, the proposed approval
• setting out detailed and specific reasons why the public interest in granting the proposed approval outweighs the public interest in the agency complying with the privacy principles
• setting out any alternative methods the agency has considered or attempted in order to carry out the function or activity in a way that complies with the privacy principles
• identifying the nature, extent and frequency of the function or activity.

Granting an approval

The Information Commissioner must be satisfied that, in regard to the proposed approval, the public interest in compliance with the privacy principles is outweighed by the public interest in carrying out the activity:

• in a way that does not comply with some or all of the privacy principles; or
• in a way that modifies the way in which they apply to the agency. 

The Information Commissioner will take into account all relevant considerations when determining whether to grant the approval. Some of the factors that may be relevant are as follows:

• The extent to which the proposed approval sets out in detail the class or classes of personal information affected by the approval and details the activity or function, or class of activities or functions for which approval is sought.
  
• Whether the proposed approval is consistent with the objects of the IP Act, taking into account the extent to which the proposed approval protects the privacy of individuals even with the waiver or modification of the principles, including any privacy protections which have been included in the proposed approval.
  
• The extent to which the proposed approval has the potential to cause harm to the individuals or to their reasonable expectations of privacy.
  
• Where the proposed approval affects only the information of an identifiable group or class of people – whether the proposed approval is discriminatory or whether there has been consultation with the group.
  
• The extent to which the modification of the privacy principles is clearly expressed and able to be understood, and whether explanatory sections or material have been included in the proposed approval.
  
• Where the proposed approval involves providing personal information to third parties, especially where they are outside Australia – the extent to which the information will be protected. Details of any contractual provisions or privacy legislation binding on the recipient should be included in the application. 
  
• Whether the agency has presented a business case that supports the proposed approval.
  
• The extent to which the agency would have genuine difficulty in complying with the privacy principles for the function or activity.

These public interest approvals are available on the OIC website.

Approving a public interest approval

Gazette notice

The Information Commissioner may, by gazette notice, give a public interest approval.

The Queensland Government Gazette (the Gazette) is published and released every Friday (except Good Friday and the Friday closest to Christmas) in hardcopy. On the Tuesday after this release date the electronic file is made available for free download.

The Legislative Assembly

Section 157(3) of the IP Act provides that sections 49 to 51 of the Statutory Instruments Act 1992 (Qld) apply to the notice. This means that the gazetted public interest approval must be tabled before the Legislative Assembly within 14 sitting days of it being gazetted. If not tabled, it will cease to have effect.

The Legislative Assembly may, if the motion is made within 14 sitting days of the notice being tabled, pass a resolution disallowing the gazetted public interest approval. If passed, the gazetted public interest approval will cease to have effect.

Publishing a public interest approval

The gazetted public interest approval must be placed on the website of the OIC. It will remain there while the approval is in force.

An agency which has been granted a public interest approval must, unless it is not practicable to do so, place a copy of the gazetted public interest approval on its website. 

Access and amendment and section 157 of the IP Act

IPPs 6 and 7 and NPPs 6 and 7 set out that agencies must give people access to their personal information, and permit them to seek to amend it. Generally, these privacy principles are given effect through chapter three of the IP Act. 

While the Information Commissioner can grant an approval waiving or modifying the privacy principles, there is no power under section 157 to waive or modify chapter three of the IP Act. 

The only entities which are subject to the privacy principles and not to chapter three of the IP Act are bound contracted service providers under section 35 of the IP Act. This means that they are the only entities who can apply for a waiver or modification of the obligation to grant individuals access to, and amendment of, their personal information.