Surveys and the Privacy Principles
Overview
The Information Privacy Act 2009 (Qld) (IP Act) requires agencies to deal with personal information in accordance with the privacy principles. Agencies routinely use survey tools to collect information for the assessment, improvement, and development of programs and service. This guideline discusses the privacy considerations of conducting a survey.
Personal information
Personal information is any information about an identified or reasonably identifiable individual.1 If a survey does not collect or use personal information, agencies do not need to consider the IP Act when conducting the survey.
However, a survey is not necessarily anonymous just because it doesn't ask for a name. Individuals can be identifiable from a variety of information, particularly if they are part of a small group. An individual may be reasonably identifiable where:
- the survey responses can be linked with other information – for example, if a survey of employees asks for the respondent’s position title and how long they have been working for the agency, this information could be linked with the agency’s personnel records to reveal a respondent’s identity
- the combination or precision of demographic characteristics, e.g., asking for a specific age rather than an age group, such as gender, age, occupation, and indigenous status is sufficiently unique to identify a respondent; or
- the survey provides a free text option – as the agency has limited control over what text is entered, it may collect information that identifies the respondent or another individual.
Refer to Key privacy concepts – personal and sensitive information for more information.
Designing the survey
The Queensland Privacy Principles (QPPs) govern the collection of personal information. QPP 3 provides that an agency can only collect personal information which is reasonably necessary for, or directly related to, one or more of its functions or activities. Additionally, as a general rule agencies must not collect ‘sensitive information’,2 without an individual’s consent. All personal information must be collected by lawful and fair means.
When assessing a survey's QPP 3 compliance, agencies should particularly consider:
- how much personal information it is requesting
- what kind of personal information it is requesting – bearing in mind the stricter rules governing the collection of sensitive information; and
- whether any or all of the survey is mandatory.
Agencies must also take reasonable steps to make people aware of the relevant matters listed in QPP 5.2. The QPP 5 matters can be an important part of establishing why personal information was collected, which is a key part of determining when it can be used and disclosed.
Refer to QPP 3 – collection of solicited information and QPP 5 – informing people when collecting personal information.
Distributing the survey
Two common methods of distributing a survey are:
- promote its availability through established communication channels, such as the agency’s website or social media accounts; and
- use contact information (for example, email addresses) held by the agency to directly distribute the survey.
Under QPP 6, personal information can be used or disclosed for the primary purpose, for a directly related secondary purpose the individual would expect, or for any of the other circumstances set out in QPP 6.
Whether an agency can use existing contact information to distribute a survey depends on why the contact details were initially collected, i.e. the primary purpose of collection of those contact details. Examining information provided to the individual when their information was collected can assist in determining whether the survey is part of the primary purpose.
Sometimes an apparent secondary purpose’ will actually be part of the primary purpose. For example, conducting a trial of a product would entail collecting feedback on the product; the feedback is an integral part of the conduct of the trial and so it is part of the primary purpose.
If an agency provides a service to an individual and it obtains and uses a contact email to deliver that service, contacting the individual to obtain feedback on the service will generally be a directly related and expected secondary purpose.
Refer to the use and disclosure guidelines for more information about when personal information can be used and disclosed.
Online survey tools
The IP Act recognises that personal information can be particularly vulnerable when it passes outside of Australia. Section 33 of the IP Act states that an agency cannot disclose personal information outside Australia unless certain conditions are met.
Disclosure is defined in section 23 of the IP Act. This definition requires more than just sending the personal information out of Australia. The agency must also lose control of the information.
Many popular online survey tools, such as SurveyMonkey and Google Forms, are provided by companies that are located overseas and/or use servers located outside Australia to store survey responses.
Also, if the agency intends to publish respondents’ survey responses online, for example, on a website or social media site, any personal information in the survey responses will potentially be disclosed outside Australia.
Section 33 sets out four circumstances in which an agency can disclose personal information out of Australia. The most likely to apply to conducting a survey are:
- where the individual the subject of the information consents to the disclosure;3 or
- where the recipient of information is subject to privacy obligations equivalent to the IP Act.4
If a survey is voluntary, an agency can obtain the individual's consent by including a statement that completion means they consent to disclosure overseas at the commencement of the survey.
Example
We are conducting this survey using SurveyMonkey, which means that the information collected in this survey will be transferred outside Australia and stored securely on SurveyMonkey's servers. By volunteering to complete this survey you agree to this transfer. You can find out more about how SurveyMonkey handles your personal information here.
Refer to Disclosing personal information out of Australia for more information.
Reading terms and conditions
Before using an online survey tool, an agency should take reasonable steps to satisfy itself that the company which offers the tool will handle personal information appropriately.
Terms and conditions are not always easy to read as they can be long-winded, technically complex, or overly legalistic. However, if you know what to look for, you can easily get the information you are interested in. Here are a few pointers:
- Find the right section. While contract terms and conditions can be long, the ‘privacy’ section is usually only a few paragraphs and is often clearly titled with variations of ‘What personal information we collect’, ‘What we use it for?’, ‘Who we give it to’ and ‘How we protect your information’.
- How is the personal information going to be used? Check whether personal information will be used for other purposes. If additional uses are intended, look at whether there is an option to choose not to receive these services – such as an opt-out option.
- Will the personal information be given to someone else? Find out whether the personal information be shared with third parties and if so, for what purpose? Does the company use sub-contractors?
- How will the personal information be protected? Look for a description of the security measures that will be used to keep your personal information safe.
- 1 See section 12 of the IP Act for the full definition.
- 2 ‘Sensitive information’ is defined in schedule 5 of the IP Act. A category of personal information, it includes information such as information about an individual’s racial or ethnic origin, political opinions, religious beliefs and sexual orientation.
- 3 Section 33(a) of the IP Act.
- 4 Sections 33(d)(i) and 33(d)(iv) of the IP Act.
Current as at: July 1, 2025