QPP 3 and 6 - health agencies and health information
Overview
Queensland government agencies1 must handle personal information in accordance with the Queensland Privacy Principles (QPP) in the Information Privacy Act 2009 (Qld) (IP Act).
What is a health agency?
A health agency is the Department of Health or a Hospital and Health Service (HHS).
What is personal information?
Section 12 of the IP Act provides that personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information is true or recorded in a material format.
The individual does not need to be directly identified in the information for it to be personal information. It is sufficient if they can reasonably be identified by reference to other information.
The personal information of one individual may also be the personal information of other individuals. OIC refers to this as mutual personal information, and examples include a marriage certificate, which contains personal information of both parties to a marriage, or a vocational reference that includes personal information about both the author and the subject of the reference.
Refer to Key privacy concepts – personal and sensitive information for more information.
What is health information?
Health information is included in the definition of sensitive information2 and is personal information about an individual that includes any of the following:
- the individual’s health at any time
- a disability of the individual at any time
- the individual’s expressed wishes about the future provision of health services to the individual
- a health service that has been provided, or that is to be provided, to the individual
- personal information about the individual collected for the purpose of providing, or in providing, a health service; or
- personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.
QPP 3 and QPP 6 contain specific provisions about the collection, use and disclosure of health information by a health agency.
Permitted health situations
A health agency can, as per QPP 3.4(c) and QPP 6.2(d), collect, use or disclose health information for a permitted health situation. The permitted health situations are set out in schedule 4, part 2 of the IP Act.
Collection in provision of a health service
A permitted health situation includes a health agency collecting health information where it's necessary to provide a health service to an individual.
Disclosing health information to inform a person responsible
A permitted health situation includes where the disclosure of health information by a health agency is necessary to permit a health professional providing a health service to an individual to disclose their health information to a person responsible for them, if that individual is incapable of giving or communicating consent.
Collecting, using or disclosing personal information for research
The permitted health situations also include where the collection, use, or disclosure of health information by a health agency is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety.
Collection in the provision of a health service
A health agency can collect health information about an individual if the information is necessary to provide a health service to the individual and:
- the individual would reasonably expect the health agency to collect the information for that purpose; or
- the information collection as required or authorised by or under an Australian law.
A health agency can also collect health information that is a family or social medical history or other relevant information about any individual, if:
- it is collected from the individual receiving or about to receive a health service or a person responsible for that individual; and
- it is necessary to collect the personal information for the purpose of providing the individual or another individual with a health service.
See below for who constitutes a person responsible for the individual.
Disclosing health information to a person responsible
Disclosure of health information by a health agency to a person responsible for an individual is permitted where:
- a health professional is providing a health service to the individual
- that individual is incapable of giving or communicating consent
- the health professional is satisfied disclosure necessary for part of the individual’s health care or treatment, or for compassionate grounds; and
- the disclosure is not contrary to any wish expressed by the individual before they became unable to give or communicate consent and the health professional is aware, or could reasonably be expected to be aware, of that wish.
What is a health professional?
Schedule 5 of the IP Act provides that a health professional is a person who is a health professional under schedule 2 of the Hospital and Health Boards Act 2011.
Only the reasonably necessary amount of information can be disclosed.
Disclosure necessary for an individual’s care or treatment could include an occupational therapist telling a sibling, who provides care in the home, about aspects of an individual's current physical condition, to explain how to carry out certain personal care tasks.
Disclosure for compassionate reasons could include a doctor telling an individual's partner about an individual's injuries and prognosis following a car accident.
Disclosure against the individual’s wishes
In determining whether to disclose information to a person responsible, a health professional must consider whether this would be contrary to any known wishes of the individual.
A person responsible for the individual
As set out in schedule 5, a person is responsible for an individual if the person is:
- a parent of the individual; or
- a child or sibling of the individual who a health professional believes has capacity; or
- a spouse or de facto partner of the individual; or
- a relative of the individual and a member of the individual’s household; or
- a guardian of the individual; or
- a person exercising an enduring power under an enduring power of attorney made by the individual that is exercisable in relation to decisions about the individual’s health; or
- a person who has sufficient personal interest in the health and welfare of the individual; or
- a person nominated by the individual to be contacted in case of emergency.
Whether someone is a 'person responsible' will depend on the nature of the relationship between the person and the individual. Depending on the circumstances, 'a person with sufficient personal interest in the health and welfare of the individual' could include a romantic partner, someone in a close relationship or friendship with the individual, a housemate, or a companion or carer of the individual.
Collection, use or disclosure of health information for research
A health agency can collect, use or disclose health information without the consent of the individual for research, or the compilation or analysis of statistics, relevant to public health or public safety if the collection, use or disclosure is necessary for the research or compilation. A health agency can also collect health information if it is necessary for the management, funding or monitoring of a health service.
These permitted health situations can only be relied on where:
- for collection – the purpose cannot be served by collecting information which does not allow the identification of the individual
- for collection – collection is authorised or required by or under an Australian law, undertaken by a designated person with the approval of the relevant chief executive, or done in accordance with guidelines approved by the chief executive of the health department for this subparagraph
- it is impracticable for the health agency to seek the individual’s consent to the collection, use or disclosure
- for use or use or disclosure – the research must be conducted in accordance with guidelines approved by the chief executive of the health department for the purposes of this subparagraph; and
- for disclosure—the health agency reasonably believes that the entity receiving the health information will not disclose the health information or personal information derived from the health information.
Before a health agency can rely on these permitted general health situations, it must first consider:
- is the collection, use or disclosure necessary of health information necessary for the research? Can the same goal be achieved with unidentified or deidentified information?
- How effective will deidentification of the data in the final product of the research be? More than just a name can identify an individual.
- For a disclosure, what steps will the agency take to ensure the recipient does not disclose the personal information? The agency must be satisfied that the recipient will not disclose the information to anyone else.
- For a disclosure, is the information being communicated outside Australia? If so, it must comply with section 33 and QPP 8.
- Is it impracticable to seek the consent of the potential subjects?
- Is the work relevant to public health or public safety?
Deidentified or unidentified data
The privacy principles only apply to information that can be linked to an identifiable individual. If the information can be deidentified, or broken down into aggregated unidentified data such as statistics, the use or disclosure can proceed without having to consider the QPPs.
Refer to Privacy and Deidentification for assistance on deidentifying information.
Conducted according to health department guidelines
To rely on these permitted general health situations, the agency must ensure that research will be conducted according to guidelines issued by the chief executive of the health department.
Necessary
When considering whether the use or disclosure is necessary, the health agency must consider to what extent the personal information is needed for the research. It will be a question of degree, to be determined having regard to the purpose of the research, its intended outcomes, and the extent to which it is dependent on the personal or health information. If deidentified information would serve the same purpose, then the use or disclosure of personal information is not necessary.
Research
Research generally involves ethical investigation using a set methodology intended to achieve a specific result. It must begin with a clearly defined goal around which the study is designed. The data gathered as part of the research must be aimed at assisting the researcher towards achieving that goal.
It should be more than a reorganisation or restatement of the facts contained in the data; it must use a clear procedure to analyse a body of information or data and extract new meaning from it or develop unique solutions to problems or cases.
Statistics
Compilation or analysis of statistics is the act or process of collecting numerical data, or undertaking a detailed examination of the elements or structure of numerical data, especially in or about large quantities, and inferring conclusions about the whole from conclusions reached from the whole or a representative sample.
Relevant to public health or public safety
For research to be relevant to public health or public safety there must be a sufficient link between the goal of the research and its possible impact on public health or safety. The results it is aimed at achieving, the questions it is attempting to answer, or the knowledge it is seeking to gain must be of potential benefit to the public generally, not just the agency which holds the information or the individual conducting the research.
Research relevant to public health or safety would commonly involve something beneficial to the well-being of society as a whole, or a specific segment of it.
Research that may be in the public interest could include research into:
- public health issues
- public safety issues
- social welfare issues
- protection of children and disabled or disadvantaged members of society
- environmental health, protection and improvement
- better delivery and increased effectiveness of government services.
All proposed research projects where personal information is considered necessary must be individually assessed to determine if they are actually relevant to public health or safety.
When making this assessment, agencies should consider:
- How is the public being defined? Does it go beyond the agency’s own needs/potential benefit to consider the greater implications for the public as a whole?
- How is the public health or safety expected to benefit from, or be impacted by, this research? For example, will it bring greater knowledge, insight, or understanding or enhance the delivery or improve the effectiveness of a government health service?
- Is there a risk or a potential cost to the community if the research is not conducted?
- Are the potential subjects of the research at any risk of harm as a result of their personal information being used in this way?
- Is the research being conducted in an ethical way, consistent with the accepted standards for research involving human beings?
Not practicable to obtain consent
Consent is the best way of using or disclosing personal or health information for a secondary purpose.
A health agency can only rely on this if it is not practicable to obtain the individual’s consent. Not practicable does not mean difficult or undesirable. To be impracticable, it must be impossible, or extremely difficult, to seek that agreement. The fact that seeking agreement is inconvenient or would involve expenditure of some effort or resources is not sufficient.
The impracticability of obtaining agreement must not be confused with the undesirability of obtaining agreement. For example, it is not sufficient that, if agreement were sought, refusal by some individuals would make the research project more difficult.
Whether it is impracticable to seek agreement will depend on the individual circumstances. When making this determination, the following are relevant considerations:
- the age of the information
- the size of the subject pool
- whether the individuals concerned are likely to have moved or died
- the lack of current or ongoing contact with the individuals, and a lack of sufficient information to determine their current contact details (bearing in mind the obligation to ensure information is accurate and up to date before use); and
- the resources required to obtain agreement would be a significant drain on the agency or researcher to the extent that the research could not be done.
Satisfied the relevant entity will not disclose
Where the health agency is disclosing, rather than using, the health information, it must be satisfied on reasonable grounds that the entity receiving it will not disclose it to anyone else.
In addition, health agencies should ensure the entity will:
- appropriately safeguard the information against loss, misuse, and unauthorised access
- not use the information for any other purpose; and
- return the information, or destroy it, at the conclusion of the research.
This could be achieved by way of a contract, Memorandum of Understanding, Deed of Privacy or other instrument that binds the recipient of the information to deal with it in a specific way.
- 1 References to an agency in this guideline include a Minister, bound contracted service provider, or other entity required to comply with the QPPs.
- 2 As defined in schedule 5 of the IP Act.
Current as at: July 1, 2025