Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
NPP 2 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies. NPP 2 also provides that personal information must not be disclosed outside the health agency unless one of the exceptions applies.
Definitions for NPP 2
NPP 2 (6) In this section—
child, of an individual, includes an adopted child, a stepchild and a foster-child, of the individual.
enforcement body means an enforcement body within the meaning of the Privacy Act 1988 (Cth).
parent, of an individual, includes a step-parent, adoptive parent and a foster-parent, of the individual.
relative, of an individual, means a grandchild, uncle, aunt, nephew or niece, of the individual.
sibling, of an individual, includes a half-brother, half-sister, adoptive brother, adoptive sister, stepbrother, stepsister, foster-brother and foster-sister, of the individual.
Use of personal information for direct marketing
(5) Despite subsection (1), a health agency may use an individual’s personal information that is not sensitive information for a commercial purpose involving a health agency’s marketing of anything to the individual, but only if—
(a) it is impracticable for the health agency to seek the consent of the individual before the personal information is used for the purposes of the marketing; and
(b) the health agency will not charge the individual for giving effect to a request from the individual to the health agency that the individual not receive any marketing communications; and
(c) the individual has not made a request mentioned in paragraph (b); and
(d) in each marketing communication with the individual, the health agency will draw to the individual’s attention, or prominently display a notice, that the individual may ask not to receive any further marketing communications; and
(e) each written marketing communication from the health agency to the individual, up to and including the communication that involves the use, will state the health agency’s business address and telephone number and, if the communication with the individual is made by fax or other electronic means, a number or address at which the health agency can be directly contacted electronically.
Where a health agency is using personal information under NPP 2(1), NPP 2(5) means a health agency can:
- use personal information
- that is not sensitive information
- for a commercial purpose
- involving the health agency's marketing of anything to the individual
- without the consent of the individual
- it is impracticable to seek the individual's consent before using the personal information for marketing
- there will be no charge to the individual for stopping the marketing communications
- the individual has not made such a request
- each marketing communication tells the individual how to stop the marketing communications and provides a health agency's contact details, including electronic contact details.
Impracticable to seek consent
Only if it is not practicable to seek consent can personal information be used for commercial marketing practices. ‘Not practicable’ does not mean difficult or undesirable; to be impracticable it must be impossible, or extremely difficult, to seek that consent. The fact that seeking consent is inconvenient or would involve expenditure of some effort or resources is not sufficient.
The impracticability of seeking consent must not be confused with the undesirability of seeking consent. For example, it is not sufficient that, if consent were sought, refusal by some individuals would make the marketing less successful.
Whether it is impracticable to seek consent will depend on the individual circumstances. When making this determination, the following are relevant considerations:
- the age of the information, where the individuals are likely to have moved or died
- the lack of current or ongoing contact with the individuals, and a lack of sufficient information to determine their current contact details (bearing in mind the obligation to ensure information is accurate and up to date before use)
- the resources required to seek consent would be a significant drain on a health agency.
Request to stop marketing
A health agency must have simple and easy to access procedures for having an individual removed from their commercial marketing lists. It must not involve any cost or hardship to the individual.
Once such a request is received, a health agency must immediately cease sending marketing communications to the individual and remove them from their lists.
Content of notices to accompany marketing
Each communication with the individual must inform the individual that they can tell a health agency to stop sending them communications. If it is a written communication, it must be included as a prominent notice; if it is an oral communication, the individual must be told. The individual should also be told how they can make the request. It is not sufficient that the information is given in the first communication; it must be given in every communication.
Where the communications is written, it must also include full details of the entity's business address and telephone number.
if it is made by fax or other electronic means it must include details of a number or address (such as an email or web page address) at which the entity can be directly contacted electronically.
Current as at: August 26, 2014