Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).
In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.
Under IPP 10 and NPP 2 an agency can only use personal information3 for the reason it was collected unless one of the exceptions applies. Under IPP 11 and NPP 2, an agency cannot disclose personal information outside the agency unless one of the exceptions applies.
The exceptions include that the use or disclosure is necessary for conducting research in the public interest under IPPs 10(1)(f) and 11(1)(f) and NPP 2(1)(c).
For health agencies this exception applies to health information only.
It is important to note that the privacy principles do not authorise the disclosure of personal information. Rather, they mean that an agency legitimately disclosing personal information under IPP 11(1) or NPP 2(1) does not breach those privacy principles and can rely on them as a defence to a privacy complaint.
In addition, the privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information, for example confidentiality provisions like those contained in the Hospital and Health Boards Act 2012 or the Child Protection Act 1999.
The privacy principles
(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(f) all of the following apply—
(i) the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;
(ii) the use does not involve the publication of all or any of the personal information in a form that identifies any particular individual the subject of the personal information;
(iii) it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use.
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(f) all of the following apply—
(i) the disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;
(ii) the disclosure does not involve the publication of all or any of the personal information in a form that identifies the individual;
(iii) it is not practicable to obtain the express or implied agreement of each individual before the disclosure;
(iv) the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.
(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—
(c) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety—
(i) it is impracticable for the health agency to seek the individual’s consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the chief executive of the health department for the purposes of this subparagraph; and
(iii) for disclosure—the health agency reasonably believes that the entity receiving the health information will not disclose the health information or personal information derived from the health information
Health agencies - applies to health information only
For health agencies, the public interest research exception in NPP 2(1)(c) does not apply to all personal information—only to health information. Health information means:
- personal information about an individual, including the individual’s health or disability at any time, their expressed wishes about future provision of health services to them, or a health service that has been provided, or is to be provided, to them, or
- personal information about the individual collected for the purpose of providing, or in providing, a health service; and
- personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.
De-identified or unidentified data
The privacy principles only apply to information that can be linked to an identifiable individual. If the information can be de-identified, or broken down into aggregated unidentified data such as statistics, the use or disclosure can proceed without having to consider the IPPs or NPPs.
Refer to Privacy and De-identification for assistance on de-identifying information.
Before using or disclosing information under the public interest research exceptions, agencies should consider whether there are alternate research methods that do not involve personal information.
Agreement and planning for future research needs
As a general rule, it is preferable for personal information to be used for research with the agreement—or reasonable awareness--of the individual.4
Where an agency holds information with research value, potential future research needs should be considered when collecting information of that type. Where appropriate, the use of personal information for future research can be built into the collection notices provided under IPP 2/NPP 1.
Research in the public interest
Before an agency can rely on the public interest research exceptions, it must first consider:
- Is the use or disclosure necessary for the research? Can the same goal be achieved with unidentified or de-identified information?
- How effective will de-identification of the data in the final product of the research be? More than just a name can identify an individual.
- For a disclosure, what steps will the agency take to ensure the recipient does not disclose the personal information? The agency must be satisfied that the recipient will not disclose the information to anyone else.
- For a disclosure, is the information being communicated outside Australia? If so, the obligations under section 33 of the IP Act must be met. (See Sending personal information out of Australia for information)
- Is it impracticable to seek the consent of the potential subjects?
- Is the work in the public interest?
Key concepts for IPP 10(1)(f), IPP 11(1)(f), and NPP 2(1)(c)
When considering whether the use or disclosure is necessary, an agency must consider to what degree the personal information is needed for the research. It will be a question of degree, to be determined having regard to the purpose of the research, its intended outcomes, and the extent to which it is dependent on the personal or health information. If de-identified information would serve the same purpose, then the use or disclosure of the information is not necessary.
Research generally involves ethical investigation using a set methodology intended to achieve a specific result. It must begin with a clearly defined goal around which the study is designed. The data gathered as part of the research must be aimed at assisting the researcher towards achieving that goal.
It should be more than a reorganisation or restatement of the facts contained in the data; it must use a clear procedure to analyse a body of information or data and extract new meaning from it, or develop unique solutions to problems or cases.
Compilation or analysis of statistics is the act or process of collecting numerical data, or undertaking a detailed examination of the elements or structure of numerical data, especially in or about large quantities, and inferring conclusions about the whole from conclusions reached from the whole or a representative sample.
In the public interest
For research to be in the public interest, it must be done ethically. The results it is aimed at achieving, the questions it is attempting to answer, or the knowledge it is seeking to gain must be of potential benefit to more than just the agency which holds the information or the individual conducting the research.
Research in the public interest would commonly involve something beneficial to the well-being of society as a whole, or a specific segment of it, with an emphasis on areas for which the government has responsibility.
Research that may be in the public interest could include research into:
- public health issues
- public safety issues
- social welfare issues
- criminal matters, such as trends, prevention, effectiveness of deterrence measures
- protection of children and disabled or disadvantaged members of society
- environmental health, protection and improvement
- better delivery and increased effectiveness of government services.
All proposed research projects where personal information is considered necessary must be individually assessed to determine if they are actually in the public interest.
When making this assessment, agencies should consider:
- How is the public interest being defined? Does it go beyond the agency’s own needs/potential benefit to consider the greater implications for the public as a whole?
- How is the public expected to benefit from this research? Will it:
- Bring greater knowledge, insight, or understanding?
- Improve social welfare, public safety, or individual well-being, or minimise a serious harm?
- Enhance the delivery or improve the effectiveness of a government service?
- Is there a risk or a potential cost to the community if the research is not conducted?
- Are the potential subject of the research at any risk of harm as a result of their personal information being used in this way?
- Is the research being conducted in an ethical way, consistent with the accepted standards for research involving human beings?
Not practicable to obtain agreement or consent
Agreement (or consent for health agencies) is the simplest way of using or disclosing personal or health information for a purpose not contemplated at the time of collection.
Only if it is not practicable, or impracticable, to obtain agreement can the public interest research exceptions be relied on. ‘Not practicable’ does not mean difficult or undesirable. To be impracticable, it must be impossible, or extremely difficult, to seek that agreement. The fact that seeking agreement is inconvenient or would involve expenditure of some effort or resources is not sufficient.
The impracticability of obtaining agreement must not be confused with the undesirability of obtaining agreement. For example, it is not sufficient that, if agreement were sought, refusal by some individuals would make the research project more difficult.
Whether it is impracticable to seek agreement will depend on the individual circumstances. When making this determination, the following are relevant considerations:
- the age of the information
- the size of the subject pool
- whether the individuals concerned are likely to have moved or died
- the lack of current or ongoing contact with the individuals, and a lack of sufficient information to determine their current contact details (bearing in mind the obligation to ensure information is accurate and up to date before use); and
- the resources required to obtain agreement would be a significant drain on the agency or researcher to the extent that the research could not be done.
Satisfied the relevant entity will not disclose
Where the agency is disclosing, rather than using, the information, it must be satisfied on reasonable grounds that the entity receiving it will not disclose it to anyone else.
In addition, agencies should ensure the entity will:
- appropriately safeguard the information against loss, misuse, and unauthorised access
- not use the information for any other purpose; and
- return the information, or destroy it, at the conclusion of the research.
This could be achieved by way of a contract, Memorandum of Understanding, Deed of Privacy or other instrument that binds the recipient of the information to deal with it in a specific way.
- 1 In this guideline, health agency includes a bound contracted service provider to a health agency.
- 2 In this guideline, agency includes Ministers and bound contracted service providers to the agency.
- 3 Any information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
- 4 The 2007 revised National Statement on Ethical Conduct in Human Research and the Guidelines Under Section 95 of the Privacy Act 1988, National Health and Medical Research Council.
Current as at: September 20, 2019