Basic guide to NPP 2 - Use and disclosure

Use and disclosure

Health agencies¹ must comply with the National Privacy Principles (NPPs) when they use and disclose personal information, specifically NPP 2. Health agencies holds many different kinds of personal information, including health information. The Hospital and Health Boards Act 2011 (Qld) to which health agencies are subject, deals specifically with the use and disclosure of health information—any uses or disclosures of personal information under that Act are authorised or required by law, and so fit within NPP 2.

NPP 2 sets out when health agencies may use and disclose personal information. Personal information may be used or disclosed for the primary purpose for which it was collected. If the health agency wishes to use it for a secondary purposes, that secondary purpose must be one of those listed in NPP 2(1). A secondary purpose may be a use or a disclosure.

Related secondary purposes

A related secondary purpose of personal information is one which is:

• related to the primary purpose; and
• reasonably expected by the individual.

Under NPP 2(1)(a), health agencies may use or disclose personal information about an individual for a secondary purpose if the secondary purpose is related to the primary purpose of collection and the individual would reasonably expect the health agency to use or disclose the information for a secondary purpose. However, the secondary purpose must be proper and fair, and disclosure of personal information must not be inconsistent with the primary purpose.

When considering whether it is reasonable to disclose personal information about an individual for a secondary purpose, the test of reasonable expectation should be used. Considerations may include:

• the context in which the personal information was collected
• the reasonable expectations of the individual who the personal information is about
• the form and content of why the health agency is collecting such information
• the level of sensitivity, or how personal or confidential the information is
• any duties of care relating to professional obligations.

Consent

Health agencies must be responsive to the fact that consent to use or disclose personal information under NPP 2 is different from a collection notice provided under NPP 1(3). Health agencies are not requesting consent when they provide a collection notice; they are only stating what they intend to do with the information once collected. An individual can provide express or implied consent for use or disclosure of their personal information at the time of collection. Consent is the easiest way of validly using or disclosing personal information for a purpose not stated at the time of collection and can be sought in two ways:

• A health agency may ask an individual if they consent to their information being used or disclosed (opting in)
• A health agency can tell an individual that they are going to use or disclose their personal information unless the individual tells them not to (opting out).

If a health agency chooses an 'opt out' method of obtaining consent, it should ensure that it complies with NPP 2. An opting out preference for sensitive information, collected for specific use or disclosure is not an appropriate method as the individual may not be aware of their options.

Research

NPP 2(1)(c) specifically relates to the use and disclosure of health information that is not governed by Part 7 of the Hospital and Health Boards Act 2011 (Qld). This provision within NPP 2 allows for the secondary use and disclosure of health information necessary for research or statistical analysis, on the condition that the research is relevant to public health or safety. Health information may also be used or disclosed by health agencies without consent for research purposes, should seeking consent from the individual be impracticable. Results of research should be aimed at achieving, attempting to answer or realising potential benefit to others outside of the health agency, by contributing to public health or safety issues.

Serious threat

For health agencies to use or disclose information without consent and rely upon the exception of serious threat there must be a sufficient link between the disclosure of personal information and the prevention or lessening of the threat to the health and safety of an individual or the public. Consideration of whether there are alternative ways to reduce the threat (such as seeking consent to use or disclose the information) must be determined as to whether the disclosure is necessary. A serious threat must reflect significant danger, and could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness. Disclosure of personal information may be feasible where it assists in reducing the threat to life, health, safety or welfare.

Unlawful activity

Where investigation and/or reporting of suspected unlawful activity is recognised as a legitimate function of a health agency, use or disclose of personal information may be permitted within reason upon suspicion that unlawful activity has or is continuing to occur. However, this subsection should only be relied upon in exceptional circumstances, such as the enforcement of laws relating to confiscating the proceeds of crime.

Use or disclosure required under law

NPP 2 enables for personal information to be used or disclosed if it is required to fully accord the process of natural justice. However, if natural justice can be accorded by using de-identified information or providing details of the information without revealing any identifying details then such use or disclose will be a breach under this national privacy principle. Disclosure or use of personal information may be required by law where:

• the law in question specifically requires a health agency retaining the information to use or disclose it for another purpose
• a law grants a body the power to request the information from a health agency, whether the power is discretionary or not, and the health agency has to provide it in answer to the request
• a law requires a health agency to perform a certain function, and it is impossible to perform that function without use of the information.

Necessary for use by an enforcement body

NPP 2 enables a health agency to use or disclose personal information for the preparation or conduct of proceedings before any court or tribunal by, or on behalf of, an enforcement body. NPP 2 however does not authorise a health agency to simply hand over or use the information. A judgment must be made as to whether the use or disclosure is necessary on a case by case basis.

Note on use and disclosure

If a health agency uses or discloses personal information under NPP 2(1)(g) (disclosure necessary for an enforcement body), it is required to make a written note of the use or disclosure of the personal information. Ideally, this note should be made or attached to the record containing the personal information. Where this is impracticable or undesirable, a separate record of uses and disclosures should be maintained, to be stored with the personal information.

Disclosure of health information

Section 142 of the Hospital and Health Boards Act 2011 (Qld) imposes a strict duty of confidentiality on health service employees, unless disclosure is required or permitted under that Act. Where confidential information is provided to another person, NPP 2 will apply.

Statutory provisions specifying the collection of health information will generally be subject to statutory requirements of use and disclosure. However, if no statutory requirements of use and disclosure apply, conditions under NPP 2 are relevant. If there is any doubt or uncertainty whether health information should be disclosed, appropriate advice should be sought.

Responsible person

When confirming consent to use or disclose personal information, NPP 2(4) does not stipulate that a person responsible for an individual must be a 'custodial parent'. Instead, there are numerous classes of people who might be responsible for an individual (see NPP 2(4) (a) – (h). In relation to the decisions of young people, health agencies must consider the specific circumstances involved when a young person is capable of making their own decisions regarding their privacy, with their wishes to be followed accordingly.

Marketing purposes

A health agency may, under NPP 2, use personal information for marketing purposes, provided there is a simple and easy to access procedure for removing an individual from commercial marketing lists. Conditions for removal must not involve any cost or hardship to the individual. The information that the health agency may be permitted to use includes:

• personal information
• information that is not sensitive
• information used for a commercial purpose
• information involving the health agency's marketing of anything to the individual; and
• using information without the consent of the individual.