Disclosure checklist

Overview

The Information Privacy Act 2009 (Qld) (IP Act) contains a number of privacy principles which set out the rules for how personal information is to be collected, managed, used and disclosed by Queensland government agencies.

This checklist will assist agencies to decide whether or not they are permitted to disclose personal information under the IP Act. Note, however, that some personal information may be subject to obligations in other Acts, such as confidential information under the Hospital and Health Boards Act 2011 (Qld), or information under the Food Act 2006 (Qld).

Personal information

Personal information is defined in section 12 of the IP Act1. It is a very broad definition that encompasses any information about an individual who can be identified directly from the information, or whose identity can be reasonably ascertained by reference to other information. Information does not necessarily have to be true, or written down, to be personal information, and neither does it need to be sensitive or 'important'. The definition is limited in that an individual can only be a natural person2, meaning that companies, for example, do not have personal information and neither do deceased persons.

Disclosure

Information Privacy Principle 11 (IPP 11), which applies to all agencies3 except health agencies, and National Privacy Principle 2 (NPP 2), for health agencies, regulate the circumstances in which an agency is permitted to disclose personal information. Disclosure is defined in section 23(2) the IP Act. For the movement of personal information from one entity to be a disclosure the personal information must:

  • pass out of the agency's control,
  • be given to someone outside the agency or dealt with in a way that would allow someone to find it out, and
  • not be given to someone who already knows it, or someone who is in a position to find it out.

In some circumstances agencies are not required to comply with IPP 11 or NPP 2. Note, however, that other privacy principles, such as the transfer out of Australia rules,4 may still apply.

Checklist - can personal information be disclosed?

Schedule 1 Yes No
Is the personal information a document listed in schedule 1 of the IP Act?    

Documents in schedule 1 are not subject to the privacy principles. If you answered yes, you do not need to consider the privacy principles any further in relation to the document. (Consider other obligations that may attach to the document before disclosing it.)

If you answered no, please continue.

Section 211 Yes No
Is the movement of personal information part of the performance of a contract entered into on or before 30 June 2009 or, for local government, 30 June 2010?    

If you answered yes, you are not required to comply with IPP 11 or NPP 2 in relation to the movement of personal information.

If you answered no, please continue.

Section 23(2)(a) Yes No

Does the person to whom the agency is considering giving the personal information already know it?

Note: the onus will be on the agency to prove that the person did, in fact, know it.

   

If you answered yes, the movement of personal information is not a disclosure and IPP 11 or NPP 2 do not apply.

If you answered no, please continue.

Section 23(2)(a) Yes No

Is the person to whom the agency is considering giving the personal information in a position to find it out?

Note:

this requires more than the person having the ability to ask the individual to tell them the information; the person must have both a lawful right and an ability to access the personal information in question from another source.
   

If you answered yes, the movement of personal information is not a disclosure and IPP 11 or NPP 2 do not apply.

If you answered no, please continue.

Section 29 - this question does not apply to health agencies Yes No
Are you the Queensland Police, the Crime and Corruption Commission, Community Safety, or a law enforcement agency as defined in schedule 5 of the IP Act?    
If you answered yes to the first question, are you satisfied on reasonable grounds that the disclosure of personal information is necessary for the performance of the relevant functions listed in section 29(1)(a)-(d)?    

If you answered yes to both of these, you are not required to comply with IPP 11 to the extent necessary for the performance of the functions.

If you answered no to one or both of these, please continue.

Section 28 and section 32 Yes No

Is the personal information related to or connected with personal information which is either:

  • published by the individual, or
  • provided by the individual to someone else for the purposes of publication?

Publish means to make it available to the public by way of television, newspaper, radio, the internet, or another form of communication.

   

If you answered yes, you are not required to comply with IPP 11 or NPP 2 in relation to the personal information.

If you answered no, please continue.

Section 38 Yes No
Are you a Queensland government department or other agency with a responsible Minister?    
Is the personal information to be given to the Minister to inform the Minister about matters relevant to the Minister's responsibilities in relation to the agency?    

If you answered yes to both of these questions, the movement of the personal information will not contravene the privacy principles. Note that other legislation, such as the Hospital and Health Boards Act
2011
 (Qld)
may prohibit the movement of personal information.

If you answered no to one or both of these questions, the personal information may only be disclosed as permitted by IPP 11 or NPP 2. Please consider the relevant provisions to determine if they apply in your circumstances.

Applying IPP 11 or NPP 2

For assistance in the application of IPP 11 or NPP 2 refer to:

Current as at: July 9, 2014