Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
NPP 2 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies. NPP 2 also provides that personal information must not be disclosed outside the health agency unless one of the exceptions applies.
Use and disclosure for primary purpose of collection
NPP 2 sets out the general rule that personal information may only be used or disclosed for the primary purpose of collection. Use and disclosure for a secondary purpose is not permitted except where such use or disclosure falls within the exceptions listed in NPP 2.
The purpose of collection shapes what a health agency can do with the information it collects. Care must be taken in formulating the purpose of collection, because if a health agency gets it wrong, it could find itself with a large amount of personal information that it cannot use.
Generally, when collecting personal information a health agency must have a specific purpose in mind for it, not collect any more than is necessary, and must not use unfair or unlawful mean of collection. Collecting personal information because a health agency thinks it may need it at some time in the future is likely to breach the collection principles. As such, determining the primary purpose of collection should always be possible.
Where the individual has been given a collection notice under NPP 1 that notice will determine the purpose of collection. Even if a health agency intended the information to be collected for an additional purpose, if that was not addressed in the collection notice, it cannot be used for the additional purpose. Where a health agency collects personal information directly from an individual, the context in which the individual gives the information to the organisation will help identify the primary purpose of collection.
Personal information collected on job application forms is provided by the individual for the purpose of possible employment. This is the primary purpose of collection and it must be set out in the collection notice.
Related and directly related purposes
Under NPP 2(1)(a), an organisation may use or disclose personal information about an individual for a secondary purpose if the secondary purpose is related to the primary purpose of collection and the individual would reasonably expect a health agency to use or disclose the information for the secondary purpose.
To be related, the secondary purpose must be something that arises in the context of the primary purpose. If personal information is sensitive information the use or disclosure must be directly related to the primary purpose of collection. This means that there must be a stronger connection between the use or disclosure and the primary purpose for collection.
The contemplated secondary purpose must be connected to or associated with the primary purpose, or arise in the context of the primary purpose. There must be a close relationship between the purpose of the use or disclosure and the purpose for which the personal information was obtained.
A directly related purpose is one which is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose.
Some examples where the secondary use or disclosure of personal information is directly related to the purpose for which that information is obtained are where:
- a health agency uses information obtained for the purpose of operating a program, for the purpose of monitoring, evaluating, auditing or managing that program
- a health agency uses information obtained for the purpose of investigating complaints, for the purpose of conducting follow-up surveys and reporting to Parliamentary Committees
- secondary disclosure of personal information to a debt collector where the individual incurred a fee for a service performed, and the debt collector is recovering it on behalf of a health agency. This is to be distinguished from the selling of a debt to a debt collection agency who then recovers it for themselves.
The onus lies on a health agency to establish that the secondary purpose is sufficiently related to the primary purpose to fit under this NPP.
The NPPs are not intended to prevent personal information about individuals acting in a business capacity from being exchanged in the normal course of business. In these circumstances, it is likely to be within individuals’ reasonable expectations that information about them in their business role will be used and disclosed for generally accepted business purposes. For example, exchange of business cards and use of them for later business contacts would ordinarily be consistent with the NPPs.
The test is whether an individual would reasonably expect information to be used or disclosed for another purpose and it should be applied from the point of view of an individual with no special knowledge of the activities engaged in by government or a health agency. It is necessary to ask what an ordinary person, not an expert but aware of the circumstances, would consider reasonable. It would be relevant to consider:
- the context in which the personal information is being collected
- the reasonable expectations of the individual whose information it is
- the form and content of information a health agency has given about why it is collecting the information
- how personal, confidential or sensitive the information is
- any duties of care or other professional obligations (although care would be needed if these are not within the individual’s reasonable expectations).
The actual expectations of the individual are relevant, but they are not the final answer as to whether an individual would reasonably expect the use or disclosure.
- A secondary use or disclosure may be reasonably expected where that use or disclosure is inextricably linked to the primary purpose of collection.
- In some cases, despite the link between the primary and secondary purpose, the use or disclosure would not be reasonably expected. For example, where a local council collects the contact details of an individual turning in a lost pet, providing that information to the pet's owner so the owner could thank the finder would not be a reasonably expected secondary purpose despite its link to the primary purpose.
- Need to know can be a relevant factor in determining if a use would be reasonably expected. It can be affected by the size of a health agency and the functions of individuals within it.
Limiting disclosure to what is sufficient
When using or disclosing personal information in reliance on NPP 2(1)(a), a health agency should not use or disclose more information than is necessary to satisfy the related secondary purpose. Excessive disclosure would not be reasonably expected.
Using notices to build an expectation
Collection notices which outline the purposes for which personal information is to be used or disclosed can assist in creating expectations that information is to be used for related secondary purposes. Reasonableness requires that the related secondary use or disclosure is also proper and fair, and generally not incompatible with the primary purpose of collection.
However, more may be required to establish that the use is reasonably expected. For example, a secondary use or disclosure that breaches an undertaking of confidentiality cannot be said to be reasonably expected. A collection notice cannot be used to override legal obligations or prohibitions.
Current as at: August 26, 2014