All agencies - Use or disclosure for law enforcement

Health Agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).

Note

In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.

Under these privacy principles, all agencies, regardless of type:

  • can only use personal information3 for the reason it was collected unless one of the exceptions applies4; and
  • cannot disclose personal information outside the agency unless one of the exceptions applies5.

The exceptions include that the use or disclosure is necessary for law enforcement or protection of the public revenue, as set out in IPP 10(1)(d), 11(1)(e), and NPP 2(1)(e) (the law enforcement exceptions).

NPP 2 also allows a health agency to use or disclose personal information to investigate or report unlawful activity and IPP 11 allows a non-health agency to disclose personal information to ASIO.

Note

It is important to note that the privacy principles do not authorise the disclosure of personal information. Rather, they mean that an agency legitimately disclosing personal information under IPP 11(1) or NPP 2(1) does not breach those privacy principles and can rely on them as a defence to a privacy complaint.

In addition, the privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information, for example confidentiality provisions like those contained in the Hospital and Health Boards Act 2012 or the Child Protection Act 1999.

What is a law enforcement agency/enforcement body?

IPP 10(1)(d) and IPP 11(1)(e) use different definitions for law enforcement agency and NPP 2 uses enforcement body instead of law enforcement agency.

The meanings of these are set out below, but law enforcement agency will be used in this guideline to refer collectively to law enforcement agencies and enforcement bodies.

Law enforcement agency for IPP 10(1)(d)

Under IPP 10(1)(d) a law enforcement agency can only be a Queensland government agency. These include the Queensland Police Service, the Crime and Corruption Commission, the community safety department and any other agency to the extent it has responsibility for:

  • functions and activities directed to the prevention, detection, investigation, prosecution or punishment or offences and other breaches of the law attracting penalties or sanctions
  • the management of property seized or restrained under, or the enforcement of a law or of an order made under a law,  a law relating to the confiscation of the proceeds of crime; or
  • enforcement of or implementation of an order or decision made by a court or tribunal.

Enforcement body for NPP 2

Enforcement body for NPP 2 means an ‘enforcement body’ under the Privacy Act 1988 (Cth), which includes the Australian Federal Police, Customs, and any government body of the Commonwealth or of a State or Territory (including Queensland) with responsibility for revenue protection or for administering, or performing a function under, a law imposing penalties or sanctions.

Law enforcement agency for IPP 11(1)(e)

A law enforcement agency for IPP 11(1)(e) combines the above two definitions. It includes anything that is a law enforcement agency for IPP 10(1)(d) and anything that is an enforcement body under the Privacy Act 1988 (Cth).

The privacy principles

IPP 10—Limits on use of personal information

(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—

(d) the agency is satisfied on reasonable grounds that the use of the information for the other purpose is necessary for 1 or more of the following by or for a law enforcement agency—

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of seriously improper conduct;

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

IPP 11—Limits on disclosure

(1)   An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—

(e)     the agency is satisfied on reasonable grounds that the disclosure of the information is necessary for 1 or more of the following by or for a law enforcement agency—

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of seriously improper conduct;

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

NPP 2—Limits on use or disclosure of personal information

(1)  A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—

(g) the health agency reasonably believes that the use or disclosure is reasonably necessary for 1 or more of the following by or for an enforcement body—

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii)  the protection of the public revenue;

(iv)  the prevention, detection, investigation or remedying of seriously improper conduct;

(v)   the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Satisfied on reasonable grounds/reasonably believes that the use or disclosure is necessary

Under the law enforcement exceptions, agencies cannot simply hand over or use the information. An non-health agency must be satisfied on reasonable grounds, and a health agency must reasonably believe, that the personal information is necessary for one of the exceptions. This requires the agency to consider whether the use or disclosure will actually assist in one of the purposes listed in the law enforcement exceptions.

Generally the agency must:

  • be satisfied that there is a link between the proposed use or disclosure and the enforcement or protection activities; and
  • establish that the link is sufficient to make the use or disclosure of the personal information reasonably necessary.

The personal information need not be essential or critical to the activity, but it must be more than just helpful or expedient.

When disclosing, relevant considerations are:

  • whether the requesting officer has been identified as a legitimate officer, and has provided their details, including work unit and supervisor
  • the reason for the request – the agency should establish what is being investigated, at least in broad terms, and why the information is necessary
  • whether the agency has the contact details of a senior officer, who can verify that the investigation is legitimate, especially where the request involves a large amount of personal information or personal information of a sensitive nature
  • whether it is more appropriate, given the amount and sensitivity of the personal information, to wait for a warrant or other legal authority to be produced.

By or on behalf of

Agencies that fit the relevant definition of law enforcement agency will fall within ‘use by’ a law enforcement agency if they use personal information to assist with their own enforcement or protection activities.

An agency will use or disclose information on behalf of a law enforcement agency if:

  • it does something for the agency, or to assist the agency, in its law enforcement functions
  • it is making inquiries or carrying out a function for the agency.

What is a criminal offence?

Criminal offences are defined in the Criminal Code Act 1899 (Qld)6.   Other legislation, however, also contains criminal offences, such as the Vegetation Management Act 1999 (Qld) or the Animal Care and Protection Act 2001 (Qld).

If an agency is unsure if an offence is a criminal offence, they should request more information so they can determine this.

Law imposing a penalty

If a law requires someone to pay a sum of money for breaching it, then it is a law imposing a penalty.

Law imposing a sanction

A law imposes a sanction if it takes away a right or privilege or allows some disadvantaging action other than the imposition of a monetary penalty.  For example:

  • removal of a licence or entitlement
  • disciplinary action (such as suspension, a pay cut, or dismissal); or
  • the withdrawal of a benefit.

Proceeds of crime

Laws relating to confiscation of the proceeds of crime enable the proceeds, benefits and property derived from criminal activity to be traced, and provide for the forfeiture of property used in connection with the commission of criminal offences.

There are two confiscation schemes in operation in Queensland:

  • Conviction based confiscation: administered by the Office of the Director of Public Prosecutions. This occurs when a direct link can be established between a crime of which someone has been convicted and an asset.
  • Confiscation without conviction (civil confiscation):  this is administered by the Crime and Corruption Commission under the Criminal Proceeds Confiscation Act 2002 (Qld) and allows property to be restrained on the basis of reasonable suspicion of serious crime-related activity.

Enforcement

Enforcement encompasses the whole activity, from initial inquiries to the hearing of a matter in a court or presentation to a decision maker or non-judicial member. It also includes gathering intelligence to support the investigation function of enforcement bodies, or providing information to the relevant enforcement body.

Protection of the public revenue

The public revenue includes levies, taxes, rates and royalties charged on a regular basis. It does not include occasional charges, such as fines, or the recovery of the occasional overpayment by an agency.

Protection of the public revenue includes the activities of agencies and bodies intended to ensure that lawful obligations are met by those subject to the charges, such as routine collection, audits, investigatory and debt recovery actions.  Prosecution for failure to pay the charge would fall under the criminal law exception.

Activities intended to identify and eliminate inefficient but lawful spending of public money will not fall within this exception.

Seriously improper conduct

Seriously improper conduct refers to serious breaches of standards of conduct associated with a person’s duties, and includes:

  • corruption, abuse of power, or dereliction of duty
  • breach of obligations that would warrant the taking of enforcement action against the person; or
  • any other seriously reprehensible behaviour.

In the Queensland public service, seriously improper conduct can be identified by reference to:

  • official misconduct under the Crime and Corruption Act 2001 (Qld)
  • misconduct under the Police Service Administration Act 1990 (Qld) or the Public Sector Act 2022 (Qld)
  • other conduct under section 187 of the Public Sector Act 2022 (Qld) where it is serious and improper
  • a breach of the Public Sector Ethics Act 1994 (Qld) or of a Code of Conduct under that Act; or
  • a criminal offence.

Misconduct of this type may also be set out in specific statutes applying only to certain agencies.

Conduct of proceedings

An agency can use or disclose information for the preparation or conduct of proceedings before any court or tribunal by, or on behalf of, a law enforcement agency.

Where disclosing, there must be a clear link between the proceedings and the information being disclosed, and any disclosure should be limited to what is necessary and relevant.

Note

Where the use or disclosure is necessary for an agency to satisfy a court order, it would also fall under the privacy principles permitting use or disclosure based on a legal authority.

Notation

If a non-health agency discloses information, or a health agency uses or discloses information, under the law enforcement exceptions it must include a note of this with the information.

The note should include details of the disclosure or use, including relevant officers involved, and be made on, or attached to, the record containing the personal information. If this is not possible, a separate log may be kept as long as it is stored with the personal information.

Health agencies: investigate or report unlawful activity – NPP 2(1)(e)

(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—

(e) the health agency has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

NPP 2(1)(e) allows a health agency to use or disclose personal information when it has reason to suspect that unlawful activity has been, is being, or may be engaged in. Unlawful activity refers to acts or omissions that expressly prohibited by Commonwealth or State law. For example, fraud is an offence under the Public Sector Act 2022 (Qld) and the Public Sector Ethics Act 1994 (Qld). Fraud is also a criminal offence in the Queensland Criminal Code.

Non-health agencies: disclosure to ASIO

(1) An agency having control of a document containing an individual’s personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information, unless—

(ea) All of the following apply—

(i) ASIO has asked the agency to disclose the personal information;

(ii) An officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions;

(iii) The disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information.

IPP 11(1)(ea) permits a non-health agency to disclose personal information to the Australian Security Intelligence Organisation (ASIO) in specific circumstances.

ASIO must request its disclosure, an ASIO officer or employee appropriately authorised by the director-general of ASIO must certify that the information is required in connection with ASIO's functions, and the non-health agency must only disclose the information to an ASIO officer or employee appropriately authorised in writing to receive it.

Definitions for IPP 11(1)(ea)

ASIO is the Australian Security Intelligence Organisation established under the Australian Security Intelligence Organisation Act 1979 (Cwlth). The director-general of ASIO is the person who has been appointed as the Director-General of Security under the Australian Security Intelligence Organisation Act 1979 (Cwlth).

  • 1 In this guideline, health agency includes a bound contracted service provider to a health agency.
  • 2 In this guideline, agency includes Ministers and bound contracted service providers to the agency.
  • 3 Any information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
  • 4 Under IPP 10 for non-health agencies and NPP 2 for health agencies.
  • 5 Under IPP 11 for non-health agencies and NPP 2 for health agencies.
  • 6 Section 3.

Current as at: February 13, 2024