All agencies - Use and disclosure authorised by law

Health agencies¹ are required to comply with the National Privacy Principles (NPPs), and all other agencies² with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).

Under IPP 10 and NPP 2 an agency can only use personal information³ for the reason it was collected unless one of the exceptions applies. Under IPP 11 and NPP 2, an agency cannot disclose personal information outside the agency unless one of the exceptions applies.

The exceptions include that the use or disclosure is authorised or required by law as set out in IPP 10(1)(c) and 11(1)(d), and NPP 2(1)(f).

The privacy principles

IPP 10

(1)     An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—

(c)     use of the information for the other purpose is authorised or required under a law.

IPP 11

(1)     An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—

(d)     the disclosure is authorised or required under a law.

NPP 2

(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—

(f)   the use or disclosure is authorised or required by or under law

What is meant by law

As a general rule, law means Queensland statutory instruments. It will also mean Commonwealth legislation, or a law of another state or territory, where the legislation applies in Queensland.

Natural justice

Natural justice is an exception to this rule. The obligation to accord natural justice is one of the fundamental underpinnings of government decision making and the failure to accord it is one of the grounds on which a decision may be overturned on judicial review.

If it is necessary to use or disclose personal information in order to fully accord natural justice, then that use or disclosure will be authorised under these exceptions.

For detailed information refer to Natural justice, disclosure, and privacy.

Required or authorised under a law

Use or disclosure of the information will be required under law where:

• the law in question specifically requires the agency holding the information to use it or disclose it for that other purpose
• a law grants a body the power to request the information from the holding agency, whether the power is discretionary or not, and the holding agency has to provide it in answer to the request; or
• a law requires the agency to perform a certain function, and it is impossible to perform that function without using the information.

Use or disclosure of the personal information will be authorised under law where the use or disclosure is permitted but not required.

• The law must clearly and expressly give the holding agency the discretion to use or disclose the personal information for that purpose.
• The agency must be able to point to a specific relevant legislative provision granting the discretion.
• It is not enough for the agency to show that the use or disclosure is merely within the agency’s lawful functions.
• A general power granting an agency the power to ‘do anything necessary’ or ‘do anything else in connection with’ will not be sufficient to authorise the use or disclosure for the other purpose.
• If disclosure of the information is prohibited by law, disclosure will not be authorised even if the requesting agency has a discretionary power to request it.
• A use or disclosure is not authorised by law simply because there is no law prohibiting it.

Implied legal authority

Generally, the use or disclosure of personal information must be done under an express authority, such as a section, part or chapter of an Act.  There are, however, some circumstances in which the lawful authority may be implied rather than express.

Where it is impossible to perform a function or activity required or authorised by an Act without using or disclosing personal information, the use or disclosure will be impliedly authorised by law.

For example, where an agency has a legal obligation to report the full details of a benefit scheme it administers to an oversight body, there is an implied legal authority to disclose personal information of individuals who have received the benefit, as it is impossible to report as legally required without doing so.

Only so far as is necessary

Care must be taken when relying on these exceptions to only use or disclose as much personal information as is necessary to meet the obligation or authorisation.  Personal information used or disclosed in excess of this will not be authorised.