Information privacy laws are intended to create a balance between giving people control over their personal information and ensuring that information is available to people in government who need it, when they need it, in order to enable the necessary operation of government and the provision of services to the public.
However, information and the situations in which it is needed can be diverse and changeable. The ways in which the government may need to use and deal with the information it holds can be so varied that, in certain circumstances, the privacy principles are not a good fit. They may need to be changed, loosened, or replaced in order to ensure that the public interest is not compromised by:
The Information Commissioner has the power under section 157 of the Information Privacy Act 2009 (Qld) (IP Act) to grant public interest approvals where the public interest in non-compliance is stronger than the public interest in compliance. The existence of this power helps to maintain the balance.
Section 157 of the IP Act allows an agency or bound contracted service provider to apply to the Information Commissioner for approval to not comply with the privacy principles or to comply in a different way. This is referred to by the Office of the Information Commissioner (OIC) as a public interest approval. It will only be granted if the public interest in not complying with the privacy principles outweighs the public interest in compliance.
It is important that an agency contact the OIC before making an application for approval. The Information Commissioner's staff can provide information to agencies on preparing applications, and give guidance on what may or may not be an appropriate subject for which to seek a public interest approval.
The definition of privacy principles in schedule 5 of the IP Act includes:
An agency under section 35 of the IP Act may apply for approval to waive or modify one or more of the privacy principles.
Only the agency which is proposing to do the act which requires the Information Commissioner's approval can apply. However, where several agencies wish to perform the same act and need the same waiver or modification of the privacy principles, for example, because of a similarity of functions or because of participation in an interagency project, they may apply together.
An application must be accompanied by a detailed plan of the action the agency wants to take and the steps it will follow to ensure the privacy interests of individuals are protected. A Privacy Impact Assessment may assist in preparing this plan. The approval should only go as far as is necessary to allow the function or activity the agency wishes to undertake. For example:
The agency must explain in detail why the public interest in non-compliance outweighs the public interest in compliance and provide any evidence it has to support its claims.
Agencies may wish to refer to the Guidelines on the Public Interest Factors under the Right to Information Act 2009 (Qld) for guidance in preparing their public interest arguments.
It is important to bear in mind that an application for a public interest approval should not seek to detract from the privacy rights and protections afforded to individuals, nor should a public interest approval be sought in order to overcome a perceived hindrance caused by the privacy principles.
If applying for a modification, the agency must also set out the modified way in which it will comply with the privacy principles. If the agency is seeking an indefinite approval, it must make a strong case for why an approval for a set amount of time will not be sufficient.
An agency's application for waiver or modification should include a proposed approval. A proposed approval should address all relevant issues, such as:
The Information Commissioner must be satisfied that, in regard to the proposed approval, the public interest in compliance with the privacy principles is outweighed by the public interest in carrying out the activity:
The Information Commissioner will take into account all relevant considerations when determining whether to grant the approval. Some of the factors that may be relevant are as follows:
These public interest approvals are available on the OIC website.
The Information Commissioner may, by gazette notice, give a public interest approval.
The Queensland Government Gazette (the Gazette) is published and released every Friday (except Good Friday and the Friday closest to Christmas) in hardcopy. On the Tuesday after this release date the electronic file is made available for free download.
Section 157(3) of the IP Act provides that sections 49 to 51 of the Statutory Instruments Act 1992 (Qld) apply to the notice. This means that the gazetted public interest approval must be tabled before the Legislative Assembly within 14 sitting days of it being gazetted. If not tabled, it will cease to have effect.
The Legislative Assembly may, if the motion is made within 14 sitting days of the notice being tabled, pass a resolution disallowing the gazetted public interest approval. If passed, the gazetted public interest approval will cease to have effect.
The gazetted public interest approval must be placed on the website of the OIC. It will remain there while the approval is in force.
An agency which has been granted a public interest approval must, unless it is not practicable to do so, place a copy of the gazetted public interest approval on its website.
IPPs 6 and 7 and NPPs 6 and 7 set out that agencies must give people access to their personal information, and permit them to seek to amend it. Generally, these privacy principles are given effect through chapter three of the IP Act.
While the Information Commissioner can grant an approval waiving or modifying the privacy principles, there is no power under section 157 to waive or modify chapter three of the IP Act.
The only entities which are subject to the privacy principles and not to chapter three of the IP Act are bound contracted service providers under section 35 of the IP Act. This means that they are the only entities who can apply for a waiver or modification of the obligation to grant individuals access to, and amendment of, their personal information.
Current as at: July 19, 2013