Agencies are required to comply with the Information Privacy Principles (IPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
IPP 10 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies.
IPP 11 provides that personal information must not be disclosed outside the holding agency unless one of the exceptions applies.
One of the exceptions to both IPP 10 and IPP 11 is that the use or disclosure is authorised or required by law.
Authorised or required by law – IPP 10(1)(c) and 11(1)(d)
(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(c) use of the information for the other purpose is authorised or required under a law.
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(d) the disclosure is authorised or required under a law.
Before an agency relies on these IPPs, it should specifically identify the regulatory instrument and provision on which it is relying. If a disclosure is being made in response to a request from an agency with the power to request the information:
- the requesting agency must be specific about what law authorises or requires the disclosure
- the disclosing agency must be satisfied that the request is specific and cites the relevant legislative provision.
Vague statements such as ‘I am of the opinion that this information is required in the interests of justice’ are not sufficient, and cannot be accepted as a valid request under these IPPs.
What is meant by law
As a general rule, law in IPPs 10 and 11 means Queensland statutory instruments. It will also mean Commonwealth legislation, or a law of another state or territory, where the legislation applies to the Queensland government.
Natural justice is an exception to this rule. The obligation to accord natural justice is one of the fundamental underpinnings of government decision making. The failure to accord it is one of the grounds on which a decision may be overturned on judicial review. The High Court has said that the obligation to accord natural justice is either:
- an obligation implied into statutes conferring decision making powers
- a common law duty that applies unless it is expressly excluded by the statute.
A presumption exists that the exercise of statutory power is conditional upon the observance of the rules of natural justice.
If it is necessary to use or disclose personal information in order to fully accord natural justice, then that use or disclosure will be authorised under IPP 10(1)(c)/11(1)(d).
The onus, however, will be on the agency to establish why personal information must be disclosed in order to afford natural justice. If natural justice can be accorded using de-identified information, or by providing an accurate and comprehensive summary of the information omitting any identifying details, then the use or disclosure will not be authorised under these IPPs.
Only the minimum amount of personal information necessary for natural justice to be properly accorded should be used or disclosed, and any extraneous or irrelevant personal information held back. If personal information is given to an agency in circumstances that the agency could reasonably foresee that the requirement to accord natural justice might arise, the provider of the information should be advised of that fact.
Required or authorised under a law
Use or disclosure of the information will be required under law where:
- the law in question specifically requires the agency holding the information to use it or disclose it for that other purpose
- a law grants a body the power to request the information from the holding agency, whether the power is discretionary or not, and the holding agency has to provide it in answer to the request
- a law requires the agency to perform a certain function, and it is impossible to perform that function without using the information.
Use or disclosure of the personal information will be authorised under law where the use or disclosure is permitted but not required.
- The law must clearly and expressly give the holding agency the discretion to use or disclose the personal information for that purpose.
- The agency must be able to point to a specific relevant legislative provision granting the discretion.
- It is not enough for the agency to show that the use or disclosure is merely within the agency’s lawful functions.
- A general power granting an agency the power to ‘do any thing necessary’ or ‘do anything else in connection with’ will not be sufficient to authorise the use or disclosure for the other purpose.
- If disclosure of the information is prohibited by law, disclosure will not be authorised even if the requesting agency has a discretionary power to request it.
- A use or disclosure is not authorised by law simply because there is no law prohibiting it.
Implied legal authority
Generally, the use or disclosure of personal information under these IPPs must be done under an express authority, such as a section, part or chapter of an Act. There are, however, some circumstances in which the lawful authority may be implied rather than express.
If a specific Act requires or authorises a function or activity that clearly and directly involves the use or disclosure of personal information, or is impossible to give effect to without using or disclosing personal information, the use or disclosure will be impliedly authorised by law because it is impossible to perform the function or activity without the use or disclosure.
For example, where an agency has a legal obligation to report the full details of a benefit scheme it administers to an oversight body, there is an implied legal authority to disclose personal information of individuals who have received the benefit, as it is impossible to report as legally required without doing so.
Only so far as is necessary
Care must be taken when relying on these IPPs only to use or disclose personal information that is necessary to meet the obligation or authorisation. Personal information used or disclosed in excess of this will not be authorised under these IPPs.
Current as at: July 19, 2013