Health agencies1 are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
Under NPP 2 a health agency must not use or disclose personal information2 unless one of the exceptions in NPP 2 applies.
Under NPP 2(1)(a) a health agency can use or disclose personal information for a purpose related to the original purpose of collection if the individual would reasonably except it to.
It is important to note that the privacy principles do not authorise the disclosure of personal information. Rather, they mean that an agency legitimately disclosing personal information under IPP 11(1) or NPP 2(1) does not breach those privacy principles and can rely on them as a defence to a privacy complaint.
In addition, the privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information, for example confidentiality provisions like those contained in the Hospital and Health Boards Act 2012 or the Child Protection Act 1999.
(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—
(a) both of the following apply—
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the health agency to use or disclose the information for the secondary purpose
Information collected for a specific purpose
Health agencies are required to have a purpose for the personal information they collect.
Depending on the circumstances, the individual the information is about may have been given a collection notice under NPP 1, which will set out the purpose of collection. Even if a health agency intended the information to be collected for an additional purpose, if it was not addressed in the collection notice, the additional purpose cannot be considered one of the information's primary purposes.
Where a health agency collects personal information and no collection notice was given, it will need to determine the primary purpose for which it was collected. This could involve considering:
- the information itself
- the context in which the information was collected
- the entity the information was acquired from
- what the agency did with the personal information after it acquired it; and
- any legislation, policies, plans or schemes underpinning its acquisition and/or original use.
Sensitive versus non-sensitive information
Sensitive personal information can only be used or disclosed under NPP 2(1)(a) for a secondary purpose directly related to the primary purpose for which the information was collected.
For personal information that is not sensitive, the secondary purpose only needs to be related to the primary purpose.
Sensitive information is defined as:
(a) personal information about the individual that includes any of the following—
(i) the individual’s racial or ethnic origin;
(ii) the individual’s political opinions;
(iii) the individual’s membership of a political association;
(iv) the individual’s religious beliefs or affiliations;
(v) the individual’s philosophical beliefs;
(vi) the individual’s membership of a professional or trade association;
(vii) the individual’s membership of a trade union;
(viii) the individual’s sexual preferences or practices;
(ix) the individual’s criminal record; or
(b) information that is health information about the individual for the NPPs.
Related and directly related purposes
To be related to the primary purpose of collection, the secondary purpose must be something that arises in the context of the primary purpose. There does not need to be a strong connection between the two purposes; it is sufficient that there is a connection.
Anything that satisfies the 'directly related purpose' test for sensitive information will also be a related purpose.
Directly related purpose
The use or disclosure of sensitive information under NPP 2(1)(a) requires the secondary purpose to be directly related to the primary purpose of collection. This means that there must be a stronger connection between the use or disclosure and the primary purpose for collection than merely related.
The contemplated secondary purpose must be directly connected to or associated with the primary purpose or arise in the context of the primary purpose. There must be a close relationship between the purpose of the use or disclosure and the purpose for which the personal information was obtained.
A directly related purpose can be sufficiently associated with the original purpose even if it is not strictly necessary to achieve that purpose. If the secondary purpose is administrative, it must be one that people would reasonably expect to be associated with the original purpose.
The secondary use or disclosure of sensitive personal information will be directly related to the purpose for which that information was obtained where a health agency uses information:
- obtained for the purpose of operating a program for the purpose of monitoring, evaluating, auditing or managing that program
- obtained for the purpose of investigating complaints for the purpose of conducting follow up surveys and reporting survey results to a Hospital and Health Board
- collected when an individual agreed to pay the health agency a fee for performing a service to recover the unpaid fee.
The NPPs are not intended to prevent personal information about individuals acting in a business capacity from being exchanged in the normal course of business. In these circumstances, it is likely to be within individuals’ reasonable expectations that information about them in their business role will be used and disclosed for generally accepted business purposes.
The test is whether an individual would reasonably expect information to be used or disclosed for another purpose. It should be applied from the point of view of an individual with no special knowledge of the activities engaged in by government or a health agency. It is necessary to ask what an ordinary person who is not an expert but who is aware of the circumstances, would consider reasonable.
The health agency should consider:
- the context in which the personal information was collected
- the reasonable expectations of the individual the information is about
- the information the health agency provided about why it collected the information
- how personal, confidential, or sensitive the information is
- any duties of care or other professional obligations the health agency has towards the individual.
The actual expectations of the individual are relevant, but they are not the final answer as to whether an individual would reasonably expect the use or disclosure.
- A secondary use or disclosure may be reasonably expected where that use or disclosure is inextricably linked to the primary purpose of collection.
- In some cases, despite the link between the primary and secondary purpose, the use or disclosure would not be reasonably expected. For example, where a health agency collects the contact details of an individual turning in a lost wallet, providing that information to the wallet's owner so the owner could thank the finder would not be a reasonably expected secondary purpose despite its link to the primary purpose.
Need to know can be a relevant factor in determining if a use or disclosure would be reasonably expected. It can be affected by the size of a health agency and the functions of individuals within it.
Limiting use or disclosure to what is necessary
When using or disclosing personal information under NPP 2(1)(a), a health agency should not use or disclose more information than is necessary to satisfy the related or directly related secondary purpose.
Excessive use or disclosure would not be reasonably expected.
Using notices to build an expectation
Collection notices which outline the purposes for which personal information is to be used or disclosed can assist in creating reasonable expectations for NPP 2(1)(a).
There are limitations, however. Reasonableness requires that the related secondary use or disclosure is proper and fair, and not incompatible with the primary purpose of collection. Also, a secondary use or disclosure that purports to breach confidentiality requirements or legal obligations or prohibitions cannot be said to be reasonably expected
- 1 In this guideline, health agency includes a bound contracted service provider to a health agency.
- 2 Any information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Current as at: September 20, 2019