Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
NPP 2 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies. NPP 2 also provides that personal information must not be disclosed outside the health agency unless one of the exceptions applies.
Definitions for NPP 2
NPP 2 (6) In this section—
child, of an individual, includes an adopted child, a stepchild and a foster-child, of the individual.
enforcement body means an enforcement body within the meaning of the Privacy Act 1988 (Cth).
parent, of an individual, includes a step-parent, adoptive parent and a foster-parent, of the individual.
relative, of an individual, means a grandchild, uncle, aunt, nephew or niece, of the individual.
sibling, of an individual, includes a half-brother, half-sister, adoptive brother, adoptive sister, stepbrother, stepsister, foster-brother and foster-sister, of the individual.
Use and disclosure required or authorised by law
Before a health agency relies on NPP 2(1)(f), it should specifically identify the provision on which it is relying. If a disclosure is being made in response to a request from an agency required or authorised to request the information:
- the requesting agency must be specific about what law authorises or requires the disclosure
- a health agency must be satisfied the request is specific and cites the relevant legislation. Vague statements such as ‘I am of the opinion that this information is required in the interests of justice’ are not sufficient, and cannot be accepted as a valid request under these NPPs.
What is meant by law
As a general rule, law as used in the NPPs means Queensland legislation. It will also mean Commonwealth legislation, or a law of another state or territory, where the legislation applies to the Queensland government.
Natural justice is an exception to this. The obligation to accord natural justice is one of the fundamental underpinnings of government decision making. The failure to accord it is one of the grounds on which a decision may be overturned on judicial review. The High Court has said that the obligation to accord natural justice is either an obligation implied into statutes conferring decision making powers or a common law duty, and that it applies unless it is expressly excluded by the statute. A presumption exists that the exercise of statutory power is conditional upon the observance of the rules of natural justice.
If it is necessary to use or disclose personal information in order to fully accord natural justice, then that use or disclosure will be authorised under NPP 2(1)(f). If natural justice can be accorded using de-identified information, or by providing an accurate and comprehensive summary of the information omitting any identifying details, then the use or disclosure will not be authorised under this NPP.
Only the minimum amount of personal information necessary for natural justice to be properly accorded should be used or disclosed, and any extraneous or irrelevant personal information held back. The onus will be on a health agency to establish why personal information must be disclosed in order to afford natural justice. If personal information is given to a health agency in circumstances that a health agency could reasonably foresee that the requirement to accord natural justice might arise, the provider of the information should be advised of that fact.
What does required by or authorised under mean?
Use or disclosure of the information will be required under law where:
- the law in question specifically requires the agency holding the information to use it or disclose it for that other purpose
- a law grants a body the power to request the information from the holding agency, whether the power is discretionary or not, and the holding agency has to provide it in answer to the request
- a law requires the agency to perform a certain function, and it is impossible to perform that function without using the information.
Use or disclosure of the personal information will be authorised under law where the use or disclosure is permitted but not required:
- the law must clearly and expressly give the holding agency the discretion to use or disclose the personal information for that purpose
- the agency must be able to point to a specific relevant legislative provision granting the discretion
- it is not enough for the agency to show that the use or disclosure is merely within the agency’s lawful functions
- a general power granting an agency the power to ‘do any thing necessary’ or ‘do anything else in connection with’ will not be sufficient to authorise the use or disclosure for the other purpose
- if disclosure of the information is prohibited by law, a disclosure will not be authorised, even if the requesting agency has a discretionary power to request it
- a use or disclosure is not authorised by law simply because there is no law prohibiting it.
Implied legal authority
Generally, the use or disclosure of personal information under NPP 2(1)(f) must be express. There are, however, some circumstances in which the lawful authority may be implied rather than express.
If a specific Act requires or authorises a function or activity that clearly and directly involves the use or disclosure of personal information, or is impossible to give effect to without using or disclosing personal information, the use or disclosure will be impliedly authorised by law because it is impossible to perform the function or activity without the use or disclosure.
For example, where an agency has a legal obligation to report the full details of a benefit scheme it administers to an oversight body, there is an implied legal authority to disclose personal information of individuals who have received the benefit, as it is impossible to report as legally required without doing so.
Only so far as is necessary
Care must be taken when relying on these sections only to use or disclose personal information that is necessary to meet the obligation or authorisation and no more. Personal information used or disclosed in excess of this will not be authorised under NPP 2.
Current as at: August 26, 2014