Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).
In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.
Under IPP 10 and NPP 2 an agency can only use personal information3 for the reason it was collected unless one of the exceptions applies. Under IPP 11 and NPP 2, an agency cannot disclose personal information outside the agency unless one of the exceptions applies.
The exceptions include that the use or disclosure is necessary for conducting research in the public interest under IPPs 10(1)(f) and 11(1)(f) and NPP 2(1)(c).
For health agencies this exception applies to health information only.
It is important to note that the privacy principles do not authorise the disclosure of personal information. Rather, they mean that an agency legitimately disclosing personal information under IPP 11(1) or NPP 2(1) does not breach those privacy principles and can rely on them as a defence to a privacy complaint.
In addition, the privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information, for example confidentiality provisions like those contained in the Hospital and Health Boards Act 2012 or the Child Protection Act 1999.
(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(f) all of the following apply—
(i) the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;
(ii) the use does not involve the publication of all or any of the personal information in a form that identifies any particular individual the subject of the personal information;
(iii) it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use.
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(f) all of the following apply—
(i) the disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;
(ii) the disclosure does not involve the publication of all or any of the personal information in a form that identifies the individual;
(iii) it is not practicable to obtain the express or implied agreement of each individual before the disclosure;
(iv) the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.
(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—
(c) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety—
(i) it is impracticable for the health agency to seek the individual’s consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the chief executive of the health department for the purposes of this subparagraph; and
(iii) for disclosure—the health agency reasonably believes that the entity receiving the health information will not disclose the health information or personal information derived from the health information
For health agencies, the public interest research exception in NPP 2(1)(c) does not apply to all personal information—only to health information. Health information means:
The privacy principles only apply to information that can be linked to an identifiable individual. If the information can be de-identified, or broken down into aggregated unidentified data such as statistics, the use or disclosure can proceed without having to consider the IPPs or NPPs.
Refer to Privacy and De-identification for assistance on de-identifying information.
Before using or disclosing information under the public interest research exceptions, agencies should consider whether there are alternate research methods that do not involve personal information.
As a general rule, it is preferable for personal information to be used for research with the agreement—or reasonable awareness--of the individual.4
Where an agency holds information with research value, potential future research needs should be considered when collecting information of that type. Where appropriate, the use of personal information for future research can be built into the collection notices provided under IPP 2/NPP 1.
Before an agency can rely on the public interest research exceptions, it must first consider:
When considering whether the use or disclosure is necessary, an agency must consider to what degree the personal information is needed for the research. It will be a question of degree, to be determined having regard to the purpose of the research, its intended outcomes, and the extent to which it is dependent on the personal or health information. If de-identified information would serve the same purpose, then the use or disclosure of the information is not necessary.
Research generally involves ethical investigation using a set methodology intended to achieve a specific result. It must begin with a clearly defined goal around which the study is designed. The data gathered as part of the research must be aimed at assisting the researcher towards achieving that goal.
It should be more than a reorganisation or restatement of the facts contained in the data; it must use a clear procedure to analyse a body of information or data and extract new meaning from it, or develop unique solutions to problems or cases.
Compilation or analysis of statistics is the act or process of collecting numerical data, or undertaking a detailed examination of the elements or structure of numerical data, especially in or about large quantities, and inferring conclusions about the whole from conclusions reached from the whole or a representative sample.
For research to be in the public interest, it must be done ethically. The results it is aimed at achieving, the questions it is attempting to answer, or the knowledge it is seeking to gain must be of potential benefit to more than just the agency which holds the information or the individual conducting the research.
Research in the public interest would commonly involve something beneficial to the well-being of society as a whole, or a specific segment of it, with an emphasis on areas for which the government has responsibility.
Research that may be in the public interest could include research into:
All proposed research projects where personal information is considered necessary must be individually assessed to determine if they are actually in the public interest.
When making this assessment, agencies should consider:
Agreement (or consent for health agencies) is the simplest way of using or disclosing personal or health information for a purpose not contemplated at the time of collection.
Only if it is not practicable, or impracticable, to obtain agreement can the public interest research exceptions be relied on. ‘Not practicable’ does not mean difficult or undesirable. To be impracticable, it must be impossible, or extremely difficult, to seek that agreement. The fact that seeking agreement is inconvenient or would involve expenditure of some effort or resources is not sufficient.
The impracticability of obtaining agreement must not be confused with the undesirability of obtaining agreement. For example, it is not sufficient that, if agreement were sought, refusal by some individuals would make the research project more difficult.
Whether it is impracticable to seek agreement will depend on the individual circumstances. When making this determination, the following are relevant considerations:
Where the agency is disclosing, rather than using, the information, it must be satisfied on reasonable grounds that the entity receiving it will not disclose it to anyone else.
In addition, agencies should ensure the entity will:
This could be achieved by way of a contract, Memorandum of Understanding, Deed of Privacy or other instrument that binds the recipient of the information to deal with it in a specific way.
Current as at: September 20, 2019