Agencies are required to comply with the Information Privacy Principles (IPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
IPP 10 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies.
IPP 11 provides that personal information must not be disclosed outside the holding agency unless one of the exceptions applies.
One of the exceptions to IPP 10 and IPP 11 is where the information is necessary for conducting research in the public interest.
Public interest research – IPP 10(1)(f) and 11(1)(f)
(1) An agency having control of a document containing
personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(f) all of the following apply—
(i) the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;
(ii) the use does not involve the publication of all or any of the personal information in a form that identifies any particular individual the subject of the personal information;
(iii) it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use.
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(f) all of the following apply—
(i) the disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;
(ii) the disclosure does not involve the publication of all or any of the personal information in a form that identifies the individual;
(iii) it is not practicable to obtain the express or implied agreement of each individual before the disclosure;
(iv) the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.
IPPs 10(1)(f) and 11(1)(f) apply to research activities where an agency holds personal information that was not collected for the purpose of research activities, and wishes to use it, or disclose it to a third party to use it, for that purpose without obtaining the agreement of the individuals concerned.
Before proceeding to use or disclose personal information in reliance on IPPs 10(1)(f) and/or 11(1)(f), agencies should consider whether there are alternate research methods that do not involve personal information.
De-identified or unidentified data
The IP Act only applies where the information in question can be linked to an identifiable individual. If the information can be de-identified, or broken down into aggregated unidentified data, such as statistics, then the IP Act will not apply and the use or disclosure can proceed without having to consider the IPPs.
As a general rule, where personal information is being used for research, it should be done with the agreement or reasonable awareness of the individual. Agreement is one of the primary exceptions under IPPs 10 and 11, and is the preferred approach to research using personal information about individuals.
The potential research needs of any information collection should be considered at the point of collection. The use of personal information for future research can be built into the collection notices provided under IPP 2.
This does not mean that every collection notice should include a mention of research, but the use for which the information is being collected should be evaluated to determine if it is likely to involve a legitimate future research need.
Research in the public interest
An agency that wishes to rely on IPP 10 (1)(f) or 11(1)(f) should first consider:
- Is the use or disclosure necessary for the research? Can the same goal be achieved with unidentified or de-identified information?
- How effective will de-identification of the data in the final product of the research be? More than just a name can identify an individual.
- For a disclosure, what steps will the agency take to ensure the recipient does not disclose the personal information? The agency must be satisfied that the recipient will not disclose the information to anyone else.
- For a disclosure, is the information being communicated outside Australia? If so, the obligations under section 33 of the IP Act must be met.
- Is it impracticable to seek the consent of the potential subjects?
- Is the work in the public interest?
Key concepts for IPPs 10(1)(f) and 11(1)(f)
When considering whether the use or disclosure is necessary, an agency must consider to what degree the personal information is needed for the research. It will be a question of degree, to be determined having regard to the purpose of the research, its intended outcomes, and the extent to which it is dependant on the personal information. If de-identified information would serve the same purpose, then the use or disclosure of personal information is not necessary.
Research generally involves ethical investigation using a set methodology intended to achieve a specific result. It must begin with a clearly defined goal around which the study is designed. The data gathered as part of the research must be aimed at assisting the researcher towards achieving that goal.
It should be more than a reorganisation or restatement of the facts contained in the data; it must use a clear procedure to analyse a body of information or data and extract new meaning from it, or develop unique solutions to problems or cases.
Compilation or analysis of statistics is the act or process of collecting numerical data, or undertaking a detailed examination of the elements or structure of numerical data, especially in or about large quantities, and inferring conclusions about the whole from conclusions reached from the whole or a representative sample.
In the public interest
For research to be in the public interest, it must be done ethically. The results it is aimed at achieving, the questions it is attempting to answer, or the knowledge it is seeking to gain must be of potential benefit to more than just the agency which holds the information or the individual conducting the research.
Research in the public interest would commonly involve something beneficial to the well-being of society as a whole, or a specific segment of it, with an emphasis on areas for which the government has responsibility.
Research that may be in the public interest could include research into:
- public health issues
- public safety issues
- social welfare issues
- criminal matters, such as trends, prevention, effectiveness of deterrence measures
- protection of children and disabled or disadvantaged members of society
- environmental health, protection and improvement
- better delivery and increased effectiveness of government services.
All proposed research projects where personal information is considered necessary must be individually assessed to determine if they are actually in the public interest.
When making this assessment, agencies should consider:
- How is the public interest being defined? Does it go beyond the agency’s own needs/potential benefit to consider the greater implications for the public as a whole?
- How is the public expected to benefit from this research? Will it bing greater knowledge, insight, or understanding, improve social welfare, public safety, or individual well-being, or minimise a serious harm, or enhance the delivery or improve the effectiveness of a government service?
- Is there a risk or a potential cost to the community if the research is not conducted?
- Are the potential subject of the research at any risk of harm as a result of their personal information being used in this way?
- Is the research being conducted in an ethical way, consistent with the accepted standards for research involving human beings?
Not practicable to obtain agreement
Agreement is the simplest way of using or disclosing personal information for a purpose not contemplated at the time of collection.
Only if it is not practicable to obtain that agreement can personal information be used for research in the public interest under these IPPs. ‘Not practicable’ does not mean difficult or undesirable. To be impracticable, it must be impossible, or extremely difficult, to seek that consent. The fact that seeking consent is inconvenient or would involve expenditure of some effort or resources is not sufficient.
The impracticability of obtaining consent must not be confused with the undesirability of obtaining consent. For example, it is not sufficient that, if consent were sought, refusal by some individuals would make the research project more difficult.
Whether it is impracticable to seek consent will depend on the individual circumstances. When making this determination, the following are relevant considerations:
- the age of the information
- whether the individuals concerned are likely to have moved or died
- the lack of current or ongoing contact with the individuals, and a lack of sufficient information to determine their current contact details (bearing in mind the obligation to ensure information is accurate and up to date before use)
- the resources required to obtain consent would be a significant drain on the agency or researcher to the extent that the research could not be done. The size of the subject pool is also a relevant consideration.
Satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity
Generally an agency should ensure that the entity will:
- not further disclose the information
- safeguard it appropriately
- not use it for any other purpose
- return it or destroy it at the conclusion of the research.
Current as at: July 19, 2013