Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).
In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.
Under IPP 10 and NPP 2 an agency can only use personal information3 for the reason it was collected unless one of the exceptions applies. Under IPP 11 and NPP 2, an agency cannot disclose personal information outside the agency unless one of the exceptions applies.
The exceptions include that the use or disclosure is authorised or required by law as set out in IPP 10(1)(c) and 11(1)(d), and NPP 2(1)(f).
It is important to note that the privacy principles do not authorise the disclosure of personal information. Rather, they mean that an agency legitimately disclosing personal information under IPP 11(1) or NPP 2(1) does not breach those privacy principles and can rely on them as a defence to a privacy complaint.
In addition, the privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information, for example confidentiality provisions like those contained in the Hospital and Health Boards Act 2012 or the Child Protection Act 1999.
The privacy principles
(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(c) use of the information for the other purpose is authorised or required under a law.
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(d) the disclosure is authorised or required under a law.
(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—
(f) the use or disclosure is authorised or required by or under law
What is meant by law
As a general rule, law means Queensland statutory instruments. It will also mean Commonwealth legislation, or a law of another state or territory, where the legislation applies in Queensland.
Natural justice is an exception to this rule. The obligation to accord natural justice is one of the fundamental underpinnings of government decision making and the failure to accord it is one of the grounds on which a decision may be overturned on judicial review.
If it is necessary to use or disclose personal information in order to fully accord natural justice, then that use or disclosure will be authorised under these exceptions.
For detailed information refer to Natural justice, disclosure, and privacy.
Required or authorised under a law
Use or disclosure of the information will be required under law where:
- the law in question specifically requires the agency holding the information to use it or disclose it for that other purpose
- a law grants a body the power to request the information from the holding agency, whether the power is discretionary or not, and the holding agency has to provide it in answer to the request; or
- a law requires the agency to perform a certain function, and it is impossible to perform that function without using the information.
Use or disclosure of the personal information will be authorised under law where the use or disclosure is permitted but not required.
- The law must clearly and expressly give the holding agency the discretion to use or disclose the personal information for that purpose.
- The agency must be able to point to a specific relevant legislative provision granting the discretion.
- It is not enough for the agency to show that the use or disclosure is merely within the agency’s lawful functions.
- A general power granting an agency the power to ‘do anything necessary’ or ‘do anything else in connection with’ will not be sufficient to authorise the use or disclosure for the other purpose.
- If disclosure of the information is prohibited by law, disclosure will not be authorised even if the requesting agency has a discretionary power to request it.
- A use or disclosure is not authorised by law simply because there is no law prohibiting it.
Implied legal authority
Generally, the use or disclosure of personal information must be done under an express authority, such as a section, part or chapter of an Act. There are, however, some circumstances in which the lawful authority may be implied rather than express.
Where it is impossible to perform a function or activity required or authorised by an Act without using or disclosing personal information, the use or disclosure will be impliedly authorised by law.
For example, where an agency has a legal obligation to report the full details of a benefit scheme it administers to an oversight body, there is an implied legal authority to disclose personal information of individuals who have received the benefit, as it is impossible to report as legally required without doing so.
Only so far as is necessary
Care must be taken when relying on these exceptions to only use or disclose as much personal information as is necessary to meet the obligation or authorisation. Personal information used or disclosed in excess of this will not be authorised.
- 1 In this guideline, health agency includes a bound contracted service provider to a health agency.
- 2 In this guideline, agency includes Ministers and bound contracted service providers to the agency.
- 3 Any information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Current as at: September 20, 2019