Under the Information Privacy Act 2009 (Qld) (IP Act), health agencies1 must comply with the National Privacy Principles when they manage personal information. National Privacy Principle (NPP 2) sets out the circumstances in which a health agency may use or disclose personal information.
Under NPP 2, the use or disclosure of personal information for the purpose for which the information was obtained – the ‘primary purpose’ – is permissible. However, personal information can only be used or disclosed for a different purpose to which it was obtained – the ‘secondary purpose’ – where the health agency can satisfy one of the permitted exceptions. One of these exceptions is NPP 2(1)(b) – where an individual has consented to the use or disclosure. This guideline explains what you need to consider if you intend to rely on this exception to use or disclose personal information for a secondary purpose.
NPP 2 does not override other legislation
Obtaining an individual’s consent to use or disclose their personal information
Consent can be express or implied.2 It is preferable to seek express consent as implied consent can be less reliable.
Is consent the most applicable exception?
Express consent is where an individual explicitly states their agreement. Consent is typically obtained from the individual whom the personal information is about, although there are limited circumstances in which an individual can consent to the use or disclosure of personal information for a secondary purpose on behalf of another individual.3
The elements of valid express consent require that:
- the individual is adequately informed before giving consent
- it must be voluntarily
- it must be specific and current; and
- the individual must have the capacity to understand and communicate their consent.4
Express consent may be provided verbally or in writing, electronically or in any other form5, so long as it is clearly communicated.
Implied consent arises where consent may be reasonably inferred from the facts and circumstances of a particular situation. In simple terms, implied consent requires the following statement to be correct: ‘If I had asked the individual, they would have given their consent’.
Implied consent is a judgement exercise. It requires you to consider the situation from the perspective of the individual and to make an assumption on their behalf. However, this is complicated by the fact that people are individual in their reactions and responses to a situation. Consequently, you should always exercise caution before relying on implied consent. Implied consent is more reliable when dealing with small (ideally, a single individual) numbers of individuals. As soon as larger populations are involved, the ‘law of averages’ would suggest that there will inevitably be a number of individuals who would not consent if asked.
There is a stronger presumption for implied consent where the individual concerned receives a clear benefit from the process and accordingly would not challenge the process that provided that benefit. Consider this scenario:
Mr Leonard McCoy recently applied for a vacancy within StarFleet Aged Care. Mr McCoy states in his resume that he recently worked at the Andoria HHS, however his referees are from another, less recent, HHS. StarFleet Aged Care is concerned that Mr McCoy has not provided a referee from his most recent employment and contacts Andoria HHS to find out if Mr McCoy has ever worked there and if so, what the HHS’ experience of this was.
In the absence of an express authorisation from Mr McCoy, the HHS would be relying on Mr McCoy’s implied consent for his work history with them to be disclosed to StarFleet Aged Care.
There are two possible outcomes to this scenario. One is that the work experience was positive and this is influential in Mr McCoy being offered a job with StarFleet Aged Care. It is easy to assume that Mr McCoy would have consented to this information being provided. The other outcome is that this background check is not favourable to Mr McCoy and he is consequently advised his application is not successful. Mr McCoy finds out that the information provided by Andoria HHS was influential in him not being given the job with StarFleet Aged Care and he subsequently lodges a privacy complaint against the HHS.
Reliance on implied consent always involves an element of risk. Factors that may be relevant in a health agency having confidence in their reliance on implied consent include:
- Whether the proposed secondary use or disclosure provides a benefit to the person concerned. Implied consent may be weaker where the secondary use or disclosure only benefits the health agency.
- The nature of the information used or disclosed. Personal information that is of minor or trivial nature will have a lesser privacy impact on the individual, and so more likely that an individual would have consented, if asked.
- The scope of the proposed secondary use or disclosure. Again, the lesser the dealing with the information, the lesser is the potential impact on the individual.
- The number of people involved. Implied consent is generally best assessed on a case-by-case basis for each individual, as it is more difficult to infer implied consent for a group of individuals.
- The individual is known to the health agency and so there is more certainty about their anticipated feeling about the use or disclosure.
If (or when) at a later time the secondary use or disclosure comes to the individual’s attention and is ongoing, there should be an easy and accessible process for the individual to withdraw their consent at that time.
An ‘opt-out’ model is where an individual is given the option to actively decline to give consent to their personal information being used or disclosed for a secondary purpose. If the individual does take up this option, the health agency assumes that the individual is consenting to the proposed use or disclosure.
The opt-out model operates on a number of assumptions: that the individual is aware of the option to opt-out, that they have enough information on the consequences of their choice either way and they had the capacity to make a decision on the option.
Similarly to implied consent, the risks of reliance on these assumptions may be lessened where:
- the proposed use or disclosure does not involve sensitive information6 or information of a highly personal nature
- the privacy impact of failing to opt out are not serious
- information about how to opt-out is clearly and prominently presented.
- the opt-out mechanism is easy to use7; and
- an individual who opts out at a later time will, as far as practicable, be placed in the position as if they had opted out earlier.
An opt-in model is a much stronger permission as the individual has actively consented to the use or disclosure for the secondary purpose. Wherever practicable, health agencies should consider using opt-in over opt-out.
- 1 A ‘health agency’ is a Hospital and Health Service (HHS) or the Department of Health (Queensland Health).
- 2 NPP 2(1)(b) and NPP 2(1)(c)(i) use the general term consent. Schedule 5 of the IP Act defines this consent to include ‘express consent’ and ‘implied consent’.
- 3 See section 196 of the IP Act.
- 4 Refer to OIC’s Guideline: Key privacy concepts – agreement and consent for further explanation of each element, accessible at https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/key-privacy-concepts/key-privacy-concepts-agreement-and-consent
- 5 For example, where an individual nods their head.
- 6 As defined in schedule 5 of the IP Act.
- 7 For example, some individuals may find it easier to opt-out if the option is available via telephone or face-to-face at a counter, rather than online.
Current as at: June 27, 2016