Privacy and information sharing between agencies
Queensland government agencies1 must manage personal information in compliance with the privacy principles in the Information Privacy Act 2009 (Qld) (IP Act). This includes when sharing personal information with other Queensland government agencies.
This guideline is intended to assist agencies that are not health agencies to share information with other agencies or health agencies in compliance with the privacy principles. Health agencies,2 which are Hospital and Health Services and the Department of Health, should refer to Privacy and information sharing for health agencies.
What is an agency?
For the privacy principles, an agency is a department, local government, or public authority such as the Queensland Law Society, the Crime and Corruption Commission, and Queensland public universities.
What is personal information?
Personal information is any information about an individual who can reasonably be identified.3 All information that fits this definition is personal information, even if it does not seem sensitive or appears to be harmless, unimportant, or trivial.
If the information an agency wants to share is not personal information, the privacy principles do not apply.
Refer to What is personal information? for more information.
What are the privacy principles?
The privacy principles include the Information Privacy Principles (IPPs)—which set out the rules for how agencies collect, store, secure, verify, use and disclose personal information—and the rules about transferring personal information out of Australia.4
Sharing personal information generally involves one agency disclosing personal information to a third party;5 if that third party is another agency the privacy principles governing collection6 will apply to this agency.7 Sharing information with non-agency or third parties is not addressed in this guideline.
Collection obligations
Agencies must collect only personal information necessary for, or directly related to, a lawful purpose directly related to their functions or activities. They must not collect it in a way that is unlawful or unfair and must take reasonable steps to ensure it is relevant, accurate, and complete.
The privacy principles can support the necessary flow of personal information between agencies, but agencies must consider their privacy obligations before deciding personal information can be shared.
Failure to comply with the privacy principles can erode community trust and goodwill, cause distress and detriment to individuals, and result in privacy complaints. Privacy complaints which are not resolved by the agency can be escalated to the Office of the Information Commissioner and subsequently to the Queensland Civil and Administrative Tribunal, which can be costly and time consuming.
If disclosure is prohibited by law
The privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information.8 If information is subject to confidentiality or secrecy provisions, such as those in the Child Protection Act 1999 (Qld),agencies must refer to the relevant Act to determine if it can be shared.
Benefits of agencies sharing information
Each agency delivers services to the community in accordance with their specific responsibilities. Where these responsibilities overlap and/or interact information sharing between agencies can aid in the efficient and effective targeting of government resources, support, and services.
Information sharing can lead to better informed government decision making and streamline government processes, particularly where the individual would otherwise be providing the same information to related agencies. This can be especially beneficial where the information may be difficult or traumatic to retell.
It can also provide enhanced protections for vulnerable members of the community, such as victims of family violence, by allowing better collaboration between support agencies.
Planning for information sharing
The steps an agency takes when planning to share information will depend on whether it will be one-off or an on-going arrangement.
Ongoing, regular sharing of personal information should be governed by a written agreement9 that sets out the parameters of the arrangement, including the grounds on which the sharing is permitted, any limitations on access and use of that information, and a process to address situation where the agreement is not followed. Addressing the below issues in the agreement can assist in ensuring both the transferring and receiving agency meet their privacy obligations:
- Which officers will be involved in sharing the information before, during, and after? Generally, only officers who need to be involved in the process or subsequent use of the personal information should have access to the shared information.
- What is the nature of the information being shared? Is some or all of it sensitive or subject to specific security considerations?
- How is it being shared? This will often depend on the information's form, eg is it copies of paper or digital records or is partial/full access to an agency’s database being given?
- Is the sharing subject to audit or monitoring arrangements to ensure that the proposed objective is being/has been met and that only designated persons are involved in the process?
- Is there a timeframe for review of any long-term sharing arrangement?
Depending on the circumstances and information being shared, a privacy impact assessment (PIA) should be undertaken. A PIA will allow agencies to identify, assess, and manage any risks associated with the information sharing arrangement. Even if a PIA is not developed, assessing the risks associated with the intended information sharing can be an important part of privacy compliance.
One-off information sharing will generally not require a written agreement, but agencies need to consider their privacy obligations, decide whether sharing the information is appropriate, and document the disclosure.10
For both one-off and ongoing sharing, the disclosing agency and the collecting agency must ensure their compliance with the relevant privacy principles.
Information sharing policies
A general information sharing policy that tells officers how to deal with requests for personal information from other agencies can help agencies meet their privacy obligations and safeguard against breaches.
A policy could set out the benefits of information sharing, explain the privacy considerations, include any disclosure request forms11 or existing information sharing arrangements, and direct officers to more information and relevant contacts.
Sharing the information
As part of assessing any personal information sharing arrangement, agencies should identify:
- the purpose of sharing the information
- whether the sharing is authorised by an Act
- if disclosure is compliant with the privacy principles; and
- whether the sharing involve transferring it overseas.
A PIA can be useful for assessing and addressing these issues.
Human Rights Act
Agencies must also comply with the Human Rights Act 2019 (Qld).12 It requires agencies to give proper consideration to, and act compatibly with, human rights when making decisions or taking actions. This includes a decision to share, or not to share, personal information with another agency.
What is the purpose of the information sharing?
It is essential that both agencies understand and agree on the purpose of any proposed sharing of personal information. The purpose will determine whether the agency requesting it can do so without breaching the collection IPPs and assist the agency it was requested from to assess whether the personal information can be shared.
Is there an Act that requires or permits the sharing?
If an Act requires or permits the information to be shared, then the sharing will be authorised if it is done in accordance with any specific requirements in that Act.13 This may require agencies to assess the Act to ensure its provisions have been complied with.
Example: Domestic violence information sharing arrangements
The Domestic and Family Violence Protection Act 2012 (Qld) (DFVP Act) creates an information sharing arrangement that allows agencies14 to share information where a person’s safety may be at risk.
The DFVP Act requires agencies to seek consent where safe, possible and practical but allows information to be shared without consent where the agency reasonably believes:
- a person fears or is experiencing domestic violence; and
- the information may help another service receiving the information to assess whether there is a serious threat to the person’s life, health or safety because of domestic violence.
Disclosure under IPP 11
Sharing personal information with another agency will generally involve disclosing it.15 Any disclosure of personal information must fall within the circumstances listed in IPP 11(1), which include:
- if the individual was given a notice under IPP 2 that the disclosure would occur
- with the individual's express or implied agreement
- to prevent a serious threat to an individual or the public
- to a law enforcement agency to fulfill one or more enforcement functions; and
- for public interest research.
Refer to the disclosure guidelines for more information.
Transferring information out of Australia
Any information sharing that requires personal information to be transferred out of Australia will need to comply with section 33. This includes where the individual has agreed to the transfer, the transfer is authorised or required by law, or is necessary to prevent a threat to an individual or the public.
For more information refer to Sending personal information out of Australia.
Sharing information in an emergency
The privacy principles provide the necessary flexibility to share information in emergencies and disaster events. This includes allowing personal information to be disclosed to assist in law enforcement activities and to be disclosed and transferred overseas to prevent harm to the public or an individual.
For more information refer to Privacy and managing disaster events, All agencies - Use or disclosure for law enforcement, and All agencies - Use or disclosure to prevent harm.
Information sharing in a pandemic
For specific guidance on information sharing in a pandemic refer to Managing privacy in a pandemic.
Other privacy considerations: quality, relevance, security
Agencies are required to take reasonable steps to ensure personal information is accurate, complete, not misleading and up to date.16 Agencies sharing personal information need to take these reasonable steps before providing it to another agency.
It is important that the information provided is limited only to what is necessary to fulfill the purpose for which the information is being shared17 and it must be secured appropriately based on its sensitivity.18
Privacy principle waivers
The IP Act allows for an agency's compliance with the privacy principles to be waived or modified where non-compliance is more in the public interest than compliance. These waivers can allow information sharing that would otherwise be a breach of the privacy principles, for example waiving the privacy principles to permit for information sharing between agencies to settle longstanding Aboriginal land ownership issues.19
Refer to Power of the Information Commissioner to waive or modify the privacy principles for more information.
- 1 Agency in this guideline also refers to a Minister, including the Minister for Health
- 2 See schedule 5 of the IP Act.
- 3 See section 12 of the IP Act for the definition of personal information.
- 4 Section 33 of the IP Act. The privacy principles also include the obligations relating to contracted service providers in chapter 2, part 4, but they are not relevant to inter-agency information sharing.
- 5 Disclosure is defined in section 23 of the IP Act. See Key privacy concepts - disclosure for more information.
- 6 Information Privacy Principles 1 and 3.
- 7 The exception is where the information is entirely unsolicited, ie the first agency shares it with the second agency with no prior discussion or permission, which is not a collection of personal information.
- 8 Section 7(2) of the IP Act.
- 9 For example, a Memorandum of Understanding.
- 10 IPP 11(2) requires that agencies disclosing under IPP 11(1)(e) make a note of the disclosure with the information.
- 11 See, for example, QPS information request form
- 12 See the Queensland Human Rights Commission for more info.
- 13 Section 7(2)(b) provides that the IP Act gives way to other legislation that deals with disclosure; additionally, IPP 11(1)(d) provides personal information can be disclosed where it is authorised or required by law
- 14 and non-government agencies, but they are beyond the scope of this guideline. Refer to the DFVP information sharing guidelines for more information: https://www.justice.qld.gov.au/initiatives/end-domestic-family-violence/our-progress/strengthening-justice-system-responses/domestic-family-violence-information-sharing-guidelines
- 15 Unless the other agency already knows it or is in a position to find it out and/or the sharing agency will retain control of the information—see Key privacy concepts - disclosure for more information.
- 16 IPP 7 and IPP 8 – refer to All agencies - Accuracy and relevance of personal information for more information.
- 17 IPP 9 - refer to All agencies - Accuracy and relevance of personal information for more information.
- 18 IPP 4 – refer to Non-health agencies - Protection and security of personal informationfor more information.
- 19 https://www.oic.qld.gov.au/decisions/waiver-under-section-157-of-the-information-privacy-act-2009-8-june-2012
Current as at: May 28, 2021