Privacy and information sharing for health agencies

Queensland government health agencies must manage personal information in compliance with the privacy principles in the Information Privacy Act 2009 (Qld) (IP Act). This includes when sharing personal information with other health agencies or with non-health agencies.

This guideline is intended to assist health agencies to share information with both non-health agencies and other health agencies in compliance with the privacy principles. Non-health agencies (agencies) should refer to Privacy and information sharing between agencies.

Queensland Health information sharing guidelines

Health agencies should also refer to Queensland Health's Information Sharing Between mental health staff, consumers, family, carers, nominated support persons and others guideline, which deals specifically with mandatory and permitted information sharing by health agencies.

What is a health agency?

A health agency is the Department of Health or a Hospital and Health Service. An agency1 is a department, local government, public authority such as the Health Ombudsman and the Crime and Corruption Commission, and Queensland public universities.

Health agencies and non-health agencies must both comply with the privacy principles.

What are the privacy principles?

The privacy principles health agencies must comply with include the National Privacy Principles (NPPs)—which set out the rules for how health agencies collect, store, secure, verify, use and disclose personal information—and the rules about transferring personal information out of Australia.2

Sharing personal information generally involves a health agency disclosing personal information to a third party;3 if that third party is another health agency or an agency the privacy principles governing collection4 will apply to it.5 Sharing information with third parties that are not health agencies or agencies is not addressed in this guideline.

Collection obligations

Health agencies must not collect personal information unless it is necessary for one or more of their functions and must collect it lawfully, fairly, and not in an unreasonably intrusive way.6

The privacy principles can support the necessary flow of personal information between health agencies and other health agencies or agencies, but health agencies must consider their privacy obligations before deciding personal information can be shared.

Failure to comply with the privacy principles can erode community trust and goodwill, cause distress and detriment to individuals, and result in privacy complaints. Privacy complaints which are not resolved by the health agency can be escalated to the Office of the Information Commissioner and subsequently to the Queensland Civil and Administrative Tribunal, which can be costly and time consuming.

What is personal information?

The privacy principles apply to personal information. Personal information is any information about an individual who can reasonably be identified.7 All information that fits this definition is personal information, even if it does not seem sensitive or appears to be harmless, unimportant, or trivial.

If the information a health agency wants to share is not personal information, the privacy principles do not apply.

Refer to What is personal information? for more information.

Sensitive information and health information

Some of the NPPs create rules for specific types of personal information. These are:

  • sensitive information; and
  • health information.8

For sensitive information—health agencies have extra requirements they must meet before it can be collected.9 See Health agencies - collecting sensitive personal information for more information.

For health information—when the health agency is providing a health service it may disclose health information to a person responsible for the individual it is about in the circumstances set out in NPP 2(3).10 See Health agencies - disclosure in provision of a health service for more information.

If disclosure is prohibited by law

The privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information.11 If information is subject to confidentiality or secrecy provisions, such as those in the Hospital and Health Boards Act 2011 (Qld) (HHB Act), health agencies must refer to the relevant Act to determine if it can be shared.

Benefits of sharing information

Health agencies deliver services to the community in accordance with their specific responsibilities. Where these responsibilities overlap and/or interact with the responsibilities of other health agencies or agencies, sharing information with them can aid in the efficient and effective targeting of government resources, support, and services.

Information sharing can lead to better informed government decision making and streamline government processes, particularly where the individual would otherwise be providing the same information to related agencies. This can be especially beneficial where the information may be difficult or traumatic to retell.

It can also provide enhanced protections for vulnerable members of the community, such as victims of family violence, by allowing better collaboration between support agencies.

Planning for information sharing

The steps a health agency takes when planning to share information will depend on whether it will be one-off or an on-going arrangement.

Ongoing, regular sharing of personal information should be governed by a written agreement12 that sets out the parameters of the arrangement, including the grounds on which the sharing is permitted, any limitations on access and use of that information, and a process to address situation where the agreement is not followed.

Example

Queensland Health has a Memorandum of Understanding with the Queensland Police Service, entered into under the HHB Act, which allows sharing specific information about mental health consumers to prevent or resolve a crisis situation involving risk to the consumer or others.

Addressing the below issues in an agreement can assist in ensuring both the transferring health agency and receiving health agency or agency meet their privacy obligations:

  • Which officers will be involved in sharing the information before, during, and after? Generally, only officers who need to be involved in the process or subsequent use of the personal information should have access to the shared information.
  • What is the nature of the information being shared? Is some or all of it sensitive or subject to specific security considerations?
  • How is it being shared? This will often depend on the information's form, eg is it copies of paper or digital records or is partial/full access to a health agency’s database being given?
  • Is the sharing subject to audit or monitoring arrangements to ensure that the proposed objective is being/has been met and that only designated persons are involved in the process?
  • Is there a timeframe for review of any long-term sharing arrangement?

Depending on the circumstances and information being shared, a privacy impact assessment (PIA) should be undertaken. A PIA will allow health agencies to identify, assess, and manage any risks associated with the information sharing arrangement. Even if a PIA is not developed, assessing the risks associated with the intended information sharing can be an important part of privacy compliance.

One-off information sharing will generally not require a written agreement, but health agencies need to consider their privacy obligations, decide whether sharing the information is appropriate, and document the disclosure.13

For both one-off and ongoing sharing, the disclosing health agency and the collecting health agency or agency must ensure they comply with the relevant privacy principles.

Information sharing policies

A general information sharing policy that tells officers how to deal with requests for personal information from other health agencies or agencies can help health agencies meet their privacy obligations and safeguard against breaches.

A policy could set out the benefits of information sharing, explain the privacy considerations, include any disclosure request forms14 or existing information sharing arrangements, and direct officers to more information and relevant contacts.

Sharing the information

As part of assessing any personal information sharing arrangement, health agencies should identify:

  • the purpose of sharing the information
  • whether the sharing is authorised by an Act
  • if disclosure is compliant with the privacy principles; and
  • whether the sharing involve transferring it overseas.

A PIA can be useful for assessing and addressing these issues.

Human Rights Act

Health agencies must also comply with the Human Rights Act 2019 (Qld).15 It requires health agencies to give proper consideration to, and act compatibly with, human rights when making decisions or taking actions. This includes a decision to share, or not to share, personal information with another health agency or agency.

What is the purpose of the information sharing?

It is essential that both the disclosing health agency and the receiving health agency or agency understand and agree on the purpose of any proposed sharing of personal information. The purpose will determine:

  • whether the health agency or agency requesting it can do so without breaching the collection privacy principles; and
  • assist the health agency it was requested from to assess whether the personal information can be shared.

Is there an Act that requires or permits the sharing?

If an Act requires or permits the information to be shared, then the sharing will be authorised if it is done in accordance with any specific requirements in that Act.16 This may require health agencies to assess the Act to ensure its provisions have been complied with.

Example: information sharing arrangements

The Domestic and Family Violence Protection Act 2012 (Qld) (DFVP Act) creates an information sharing arrangement that allows health agencies17 to share information where a person’s safety may be at risk. It requires consent to be sought where safe, possible and practical but allows sharing without consent where:

  • the health agency reasonably believes a person fears or is experiencing domestic violence; and
  • the information may help another service receiving the information to assess whether there is a serious threat to the person’s life, health or safety because of domestic violence.

Disclosure under NPP 2

Sharing personal information with another health agency or agency will generally involve disclosing it.18 Any disclosure of personal information to another health agency or agency must fall within the circumstances listed in NPP 2 (1),19 which include:

  • where the reason for disclosure is related20 to why the information was collected, and the individual would reasonably expect the health agency to disclose it for that reason
  • with the individual's express or implied consent
  • to prevent a serious threat to an individual or the public
  • to a law enforcement agency or enforcement body to fulfill one or more enforcement functions; and
  • if the information is health information, for public interest research.

Refer to the disclosure guidelines for more information.

Transferring information out of Australia

Any information sharing that requires personal information to be transferred out of Australia will need to comply with section 33. This includes where the individual has agreed to the transfer, the transfer is authorised or required by law, or is necessary to prevent a threat to an individual or the public.

For more information refer to Sending personal information out of Australia.

Sharing information in an emergency

The privacy principles provide the necessary flexibility to share information in emergencies and disaster events. This includes allowing personal information to be disclosed to assist in law enforcement activities and to be disclosed and transferred overseas to prevent harm to the public or an individual.

For more information refer to Privacy and managing disaster events, All agencies - Use or disclosure for law enforcement, and All agencies - Use or disclosure to prevent harm.

Information sharing in a pandemic

For specific guidance on information sharing in a pandemic refer to Managing privacy in a pandemic.

Other privacy considerations: quality, relevance, security

Health agencies are required to take reasonable steps to ensure personal information is accurate, complete, not misleading and up to date.21 Health agencies sharing personal information need to take these reasonable steps before providing it to another health agency or agency.

Health agencies should limit the information being shared to only what is necessary to fulfill the purpose of sharing and reasonable steps must be taken to protect the personal information from misuse, loss and unauthorised access, modification, or disclosure.22 If it is no longer needed for any purpose for which it may be used or disclosed, the health agency must take reasonable steps to deidentify it, subject to relevant public records requirements.23

Privacy principle waivers

The IP Act allows for a health agency's compliance with the privacy principles to be waived or modified where non-compliance is more in the public interest than compliance. These waivers can allow information sharing that would otherwise be a breach of the privacy principles, for example waiving the privacy principles to permit for information sharing between agencies to settle longstanding Aboriginal land ownership issues.24

Refer to Power of the Information Commissioner to waive or modify the privacy principles for more information.

  • 1 Agency in this guideline also refers to a Minister, including the Minister for Health; health agency only refers to the Department of Health or a Hospital and Health Service.
  • 2 Section 33 of the IP Act. The privacy principles also include the obligations relating to contracted service providers in chapter 2, part 4, but they are not relevant to inter-agency or health agency information sharing.
  • 3 Disclosure is defined in section 23 of the IP Act. See Key privacy concepts - disclosure for more information.
  • 4 NPP 1 for health agencies; Information Privacy Principles (IPPs) 1 and 3 for other agencies.
  • 5 The exception is where the information is entirely unsolicited, ie the health agency shares it with the other health agency or agency with no prior discussion or permission, which is not a collection of personal information.
  • 6 NPP 1
  • 7 See section 12 of the IP Act for the definition of personal information.
  • 8 Both defined in schedule 5 of the IP Act.
  • 9 Set out in NPP 9, Refer also to NPP 2(1)(a)(i) which places a more stringent requirement on the disclosure of sensitive information.
  • 10 Health information can also be disclosed for public interest research under NPP 2(1)(c). See All agencies - Use or disclosure for public interest research for more information.
  • 11 Section 7(2) of the IP Act.
  • 12 For example, a Memorandum of Understanding.
  • 13 NPP 2(2) requires that health agencies disclosing under NPP 2(1)(g) make a note of the disclosure with the information.
  • 14 See, for example, QPS information request form
  • 15 See the Queensland Human Rights Commission for more info.
  • 16 Section 7(2)(b) provides that the IP Act gives way to other legislation that deals with disclosure; additionally, NPP 2(1)(f) provides personal information can be disclosed where it is authorised or required by law
  • 17 It also allows agencies and non-government entities to share information, but non-government entities are beyond the scope of this guideline. Refer to the DFVP information sharing guidelines for more information: https://www.justice.qld.gov.au/initiatives/end-domestic-family-violence/our-progress/strengthening-justice-system-responses/domestic-family-violence-information-sharing-guidelines
  • 18 Unless the other health agency or agency already knows it or is in a position to find it out and/or the sharing agency will retain control of the information—see Key privacy concepts - disclosure for more information.
  • 19 And NPP 2(3), which allows a health agency providing a health service to an individual to disclose health information about the individual to a person who is responsible for the individual in specific circumstances, however this will rarely apply when sharing information with another health agency or agency.
  • 20 For sensitive information the reason for disclosure must be directly related to the reason it was collected.
  • 21 NPP 3 and NPP 7 – refer to All agencies - Accuracy and relevance of personal information for more information.
  • 22 NPP 4(1) – refer to Health agencies - data security for more information.
  • 23 NPP 4(2) – refer to Health agencies - data security for more information.
  • 24 https://www.oic.qld.gov.au/decisions/waiver-under-section-157-of-the-information-privacy-act-2009-8-june-2012

Current as at: May 28, 2021