Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
NPP 2 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies. NPP 2 also provides that personal information must not be disclosed outside the health agency unless one of the exceptions applies.
Definitions for NPP 2
NPP 2 (6) In this section—
child, of an individual, includes an adopted child, a stepchild and a foster-child, of the individual.
enforcement body means an enforcement body within the meaning of the Privacy Act 1988 (Cth).
parent, of an individual, includes a step-parent, adoptive parent and a foster-parent, of the individual.
relative, of an individual, means a grandchild, uncle, aunt, nephew or niece, of the individual.
sibling, of an individual, includes a half-brother, half-sister, adoptive brother, adoptive sister, stepbrother, stepsister, foster-brother and foster-sister, of the individual.
Use and disclosure to investigate or report unlawful activity
NPP 2(1)(e) acknowledges that investigation and reporting of suspected unlawful activity is a legitimate function of a health agency. The principle allows a health agency to use or disclose personal information when it has reason to suspect that unlawful activity has been, is being, or may be engaged in. Unlawful activity refers to acts or omissions that are expressly prohibited by Commonwealth or State law.
For example, fraud is an offence under the Public Service Act 2008 (Qld) and the Public Sector Ethics Act 1994 (Qld). Fraud is also defined as a criminal offence in the Queensland Criminal Code.
The relevant persons or authorities to which a health agency may report unlawful activity include the enforcement bodies as defined in the IP Act but can include other appropriate agencies and regulatory bodies or authorities such as the Office of State Revenue.
Use and disclosure for enforcement, investigation and revenue protection
NPP 2(1)(g) allows a health agency to use or disclose personal information for law enforcement and investigation and to protect the public revenue. It should only be used in exceptional circumstances, and not to justify ongoing or regular uses and disclosures. The laws in question do not have to be the laws of Queensland.
In Queensland, Criminal offences are those defined as such by the Criminal Code Act 1899 (Qld). Section 3 states that offences are of two kinds, regulatory and criminal, with criminal offences being made up of three different kinds: crimes, misdemeanours, and simple offences. If an offence is not designated as a crime or a misdemeanour then it is a simple offence. Many of the offences in legislation other than the Criminal Code, such as the Vegetation Management Act 1999 (Qld) or the Animal Care and Protection Act 2001 (Qld), are simple offences, and as such are criminal offences.
If unsure, a health agency should request details about the offence to enable a decision to be made as to whether or not it is a criminal offence.
Law imposing a pecuniary penalty
If the offence is not a criminal offence, but it still imposes a monetary penalty – most likely by way of specifying a number of penalty units as the maximum payable – then it is a law imposing a pecuniary penalty.
Law imposing a sanction
A law imposes a sanction if it takes away a right or privilege, or allows some disadvantaging action other than the imposition of a pecuniary penalty. For example: removal of a licence or entitlement, disciplinary action, such as suspension, a pay cut, or dismissal, or the withdrawal of a benefit.
Enforcement of laws relating to the confiscation of the proceeds of crime
This NPP allows agencies to use or disclose personal information where it is necessary for the enforcement of laws relating to confiscating the proceeds of crime. These laws enable enforcement bodies to trace the proceeds, benefits and property derived from criminal activity, and provide for the forfeiture of property used in connection with the commission of criminal offences.
There are two confiscation schemes in operation in Queensland:
- Conviction based confiscation. Administered by a health agency of Public Prosecution, this occurs when a direct link can be established between a crime of which someone has been convicted and an asset.
- Confiscation without conviction, also called civil confiscation. This is administered by the Crime and Corruption Commissioner under the Criminal Proceeds Confiscation Act 2002 (Qld) and allows property to be restrained on the basis of reasonable suspicion of serious crime related activity.
Both of these fall within this NPP, as will similar schemes operating in other jurisdictions.
Enforcement encompasses the whole of the activity, from initial inquiries to the hearing of a matter in court or presentation to a decision maker or non-judicial tribunal. It also includes gathering intelligence to support the investigation functions of law enforcement bodies, or providing information to the relevant enforcement body.
Protection of the public revenue
The public revenue includes levies, taxes, rates and royalties charged on a regular basis. It does not include occasional charges, such as fines or the occasional overpayment by a health agency.
Protection of the public revenue includes the activities of agencies and bodies intended to ensure that lawful obligations are met by those subject to the charges, such as routine collection, audits, investigatory and debt recovery actions. Prosecution for failure to pay the charge would fall under the criminal law exception.
It does not cover activities intended to identify and eliminate inefficient but lawful spending of public money.
Seriously improper conduct
Seriously improper conduct refers to serious breaches of standards of conduct associated with a person’s duties. It includes corruption, abuse of power, dereliction of duty, breach of obligations that would warrant the taking of enforcement action against the person or any other seriously reprehensible behaviour.
In the Queensland public service, seriously improper conduct can be identified by reference to the Public Sector Ethics Act 1994 (Qld), the Public Service Act 2008 (Qld) or the Crime and Corruption Act 2001 (Qld). Misconduct of this type may also be set out in specific statutes applying only to certain agencies.
Examples of misconduct amounting to serious improper misconduct include conduct that could be:
- misconduct under the Police Service Administration Act 1990 (Qld)
- corruption under the Crime and Corruption Act 2001 (Qld)
- misconduct under the Public Service Act 2008 (Qld)
- other conduct under section 187 of the Public Service Act 2008 (Qld) where it is serious and improper
- a breach of the Public Sector Ethics Act 1994 (Qld) or a Code of Conduct under that Act
- a criminal offence.
Conduct of proceedings
This NPP allows a health agency to use or disclose personal information for the preparation or conduct of proceedings before any court or tribunal by, or on behalf of, an enforcement body.
This NPP also enables a health agency to use or disclose information to implement orders issued by the court or tribunal, although where the use or disclosure is necessary for a health agency to satisfy the order, it would also fall under the NPPs permitting use or disclosure based on a legal authority. There needs to be a clear link between the order that is being enforced and the information that is being disclosed, and any disclosure should be limited only to what is necessary and relevant.
Satisfied on reasonable grounds that it is necessary
A health agency must be satisfied on reasonable grounds that the personal information is necessary for one or more of the listed purposes. This requires a health agency to consider whether the use or disclosure will actually assist in one of the above endeavours. This NPP does not authorise a health agency to simply hand over or use the information. A judgement must be made as to whether the use or disclosure is necessary in the circumstances.
Generally a health agency must:
- be satisfied that there is a link between the proposed use or disclosure and the enforcement or protection activities
- establish that the link is sufficient to make the use or disclosure of the personal information reasonably necessary
The personal information need not be essential or critical to the activity, but it must be more than just helpful or expedient.
A health agency must be satisfied on reasonable grounds. This means it must consider the circumstances, the offence and the information in question to decide whether the use or disclosure is necessary.
Relevant considerations are:
- whether the requesting officer has been identified as a legitimate officer, and has provided their details, including work unit and supervisor
- the reason for the request – a health agency should establish what is being investigated, at least in broad terms, and why the information is necessary
- whether a health agency has the contact details of a senior officer, who can verify that the investigation is legitimate, especially where the request involves a large amount of personal information or personal information of a sensitive nature
- whether it is more appropriate, given the amount and sensitivity of the personal information, to wait for a warrant or other legal authority to be produced.
By or for an enforcement body
Enforcement body is defined in NPP 2(6). If an agency fits the definition then it will fall within this NPP. A health agency will be using or disclosing information on behalf of a law enforcement agency if it is doing something on behalf of the agency, or to assist the agency in its law enforcement functions, or making inquiries or carrying out a function on its behalf.
If a health agency uses or discloses personal information under subsection (1)(g), it must include with the personal information a note of the use or disclosure.
NPP 2(2) requires an organisation that uses or discloses personal information under NPP 2.1(g) to make a written note of the use or disclosure with the personal information.
Normally, the note should be made on, or attached to, the record containing the personal information. In circumstances where this is impractical or undesirable, a separate log of uses and disclosures may be maintained so long as it is stored with the personal information.
The notation should state when the use or disclosure took place, the position title of the disclosing officer, to whom the information was disclosed (for disclosures), and/or for what purpose the information was used (for uses).
It may be appropriate to protect any such notations from scrutiny by staff who routinely access the records, but the notes must be accessible for audit or complaint purposes, or access requests under the Right to Information Act 2009 (Qld) or the IP Act.
Current as at: August 26, 2014