Queensland government health agencies must manage personal information in compliance with the privacy principles in the Information Privacy Act 2009 (Qld) (IP Act). This includes when sharing personal information with other health agencies or with non-health agencies.
This guideline is intended to assist health agencies to share information with both non-health agencies and other health agencies in compliance with the privacy principles. Non-health agencies (agencies) should refer to Privacy and information sharing between agencies.
A health agency is the Department of Health or a Hospital and Health Service. An agency1 is a department, local government, public authority such as the Health Ombudsman and the Crime and Corruption Commission, and Queensland public universities.
Health agencies and non-health agencies must both comply with the privacy principles.
The privacy principles health agencies must comply with include the National Privacy Principles (NPPs)—which set out the rules for how health agencies collect, store, secure, verify, use and disclose personal information—and the rules about transferring personal information out of Australia.2
Sharing personal information generally involves a health agency disclosing personal information to a third party;3 if that third party is another health agency or an agency the privacy principles governing collection4 will apply to it.5 Sharing information with third parties that are not health agencies or agencies is not addressed in this guideline.
Health agencies must not collect personal information unless it is necessary for one or more of their functions and must collect it lawfully, fairly, and not in an unreasonably intrusive way.6
The privacy principles can support the necessary flow of personal information between health agencies and other health agencies or agencies, but health agencies must consider their privacy obligations before deciding personal information can be shared.
Failure to comply with the privacy principles can erode community trust and goodwill, cause distress and detriment to individuals, and result in privacy complaints. Privacy complaints which are not resolved by the health agency can be escalated to the Office of the Information Commissioner and subsequently to the Queensland Civil and Administrative Tribunal, which can be costly and time consuming.
The privacy principles apply to personal information. Personal information is any information about an individual who can reasonably be identified.7 All information that fits this definition is personal information, even if it does not seem sensitive or appears to be harmless, unimportant, or trivial.
If the information a health agency wants to share is not personal information, the privacy principles do not apply.
Refer to What is personal information? for more information.
Some of the NPPs create rules for specific types of personal information. These are:
For sensitive information—health agencies have extra requirements they must meet before it can be collected.9 See Health agencies - collecting sensitive personal information for more information.
For health information—when the health agency is providing a health service it may disclose health information to a person responsible for the individual it is about in the circumstances set out in NPP 2(3).10 See Health agencies - disclosure in provision of a health service for more information.
The privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information.11 If information is subject to confidentiality or secrecy provisions, such as those in the Hospital and Health Boards Act 2011 (Qld) (HHB Act), health agencies must refer to the relevant Act to determine if it can be shared.
Health agencies deliver services to the community in accordance with their specific responsibilities. Where these responsibilities overlap and/or interact with the responsibilities of other health agencies or agencies, sharing information with them can aid in the efficient and effective targeting of government resources, support, and services.
Information sharing can lead to better informed government decision making and streamline government processes, particularly where the individual would otherwise be providing the same information to related agencies. This can be especially beneficial where the information may be difficult or traumatic to retell.
It can also provide enhanced protections for vulnerable members of the community, such as victims of family violence, by allowing better collaboration between support agencies.
The steps a health agency takes when planning to share information will depend on whether it will be one-off or an on-going arrangement.
Ongoing, regular sharing of personal information should be governed by a written agreement12 that sets out the parameters of the arrangement, including the grounds on which the sharing is permitted, any limitations on access and use of that information, and a process to address situation where the agreement is not followed.
Queensland Health has a Memorandum of Understanding with the Queensland Police Service, entered into under the HHB Act, which allows sharing specific information about mental health consumers to prevent or resolve a crisis situation involving risk to the consumer or others.
Addressing the below issues in an agreement can assist in ensuring both the transferring health agency and receiving health agency or agency meet their privacy obligations:
Depending on the circumstances and information being shared, a privacy impact assessment (PIA) should be undertaken. A PIA will allow health agencies to identify, assess, and manage any risks associated with the information sharing arrangement. Even if a PIA is not developed, assessing the risks associated with the intended information sharing can be an important part of privacy compliance.
One-off information sharing will generally not require a written agreement, but health agencies need to consider their privacy obligations, decide whether sharing the information is appropriate, and document the disclosure.13
For both one-off and ongoing sharing, the disclosing health agency and the collecting health agency or agency must ensure they comply with the relevant privacy principles.
A general information sharing policy that tells officers how to deal with requests for personal information from other health agencies or agencies can help health agencies meet their privacy obligations and safeguard against breaches.
A policy could set out the benefits of information sharing, explain the privacy considerations, include any disclosure request forms14 or existing information sharing arrangements, and direct officers to more information and relevant contacts.
As part of assessing any personal information sharing arrangement, health agencies should identify:
A PIA can be useful for assessing and addressing these issues.
Health agencies must also comply with the Human Rights Act 2019 (Qld).15 It requires health agencies to give proper consideration to, and act compatibly with, human rights when making decisions or taking actions. This includes a decision to share, or not to share, personal information with another health agency or agency.
It is essential that both the disclosing health agency and the receiving health agency or agency understand and agree on the purpose of any proposed sharing of personal information. The purpose will determine:
If an Act requires or permits the information to be shared, then the sharing will be authorised if it is done in accordance with any specific requirements in that Act.16 This may require health agencies to assess the Act to ensure its provisions have been complied with.
The Domestic and Family Violence Protection Act 2012 (Qld) (DFVP Act) creates an information sharing arrangement that allows health agencies17 to share information where a person’s safety may be at risk. It requires consent to be sought where safe, possible and practical but allows sharing without consent where:
Sharing personal information with another health agency or agency will generally involve disclosing it.18 Any disclosure of personal information to another health agency or agency must fall within the circumstances listed in NPP 2 (1),19 which include:
Refer to the disclosure guidelines for more information.
Any information sharing that requires personal information to be transferred out of Australia will need to comply with section 33. This includes where the individual has agreed to the transfer, the transfer is authorised or required by law, or is necessary to prevent a threat to an individual or the public.
For more information refer to Sending personal information out of Australia.
The privacy principles provide the necessary flexibility to share information in emergencies and disaster events. This includes allowing personal information to be disclosed to assist in law enforcement activities and to be disclosed and transferred overseas to prevent harm to the public or an individual.
For more information refer to Privacy and managing disaster events, All agencies - Use or disclosure for law enforcement, and All agencies - Use or disclosure to prevent harm.
For specific guidance on information sharing in a pandemic refer to Managing privacy in a pandemic.
Health agencies are required to take reasonable steps to ensure personal information is accurate, complete, not misleading and up to date.21 Health agencies sharing personal information need to take these reasonable steps before providing it to another health agency or agency.
Health agencies should limit the information being shared to only what is necessary to fulfill the purpose of sharing and reasonable steps must be taken to protect the personal information from misuse, loss and unauthorised access, modification, or disclosure.22 If it is no longer needed for any purpose for which it may be used or disclosed, the health agency must take reasonable steps to deidentify it, subject to relevant public records requirements.23
The IP Act allows for a health agency's compliance with the privacy principles to be waived or modified where non-compliance is more in the public interest than compliance. These waivers can allow information sharing that would otherwise be a breach of the privacy principles, for example waiving the privacy principles to permit for information sharing between agencies to settle longstanding Aboriginal land ownership issues.24
Refer to Power of the Information Commissioner to waive or modify the privacy principles for more information.
Current as at: April 27, 2023