Agencies are required to comply with the Information Privacy Principles (IPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
IPP 10 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies.
IPP 11 provides that personal information must not be disclosed outside the holding agency unless one of the exceptions applies. One of the exceptions to both IPP 10 and IPP 11 is that the use or disclosure is necessary to lessen or prevent a serious threat to an individual or to the public.
Prevention of harm – IPP 10(1)(b) and 11(1)(c)
(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(b) the agency is satisfied on reasonable grounds that the use of the information for the other purpose is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety, or welfare.
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(c) the agency is satisfied on reasonable grounds that the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety, or welfare.
There must be a sufficient link between the use or disclosure of the personal information and the prevention or lessening of the threat. The information must be used only for that purpose, and not for any other. In the case of a disclosure, it would normally be to another agency or body with the capacity and authority to intervene to reduce the threat, where the intervention cannot occur without the personal information.
Generally, these exceptions should be used in emergency or extraordinary situations where time is of the essence and not to justify regular or ongoing uses or disclosures. However, in some circumstances this may be appropriate, depending on the nature of the threat and the sensitivity of the information.
For example, a local council might regularly provide information to the Rural Bushfire Brigade so that the Brigade can prepare local landholders for bushfire season.
Where this exception is used to permit ongoing or regular disclosures, the agency should carefully consider their obligations under IPP 2 to advise individuals from whom they are collecting personal information of any regular disclosures that will be made.
Part of deciding if the use or disclosure is necessary involves making an assessment about whether the harm can be lessened or prevented using de-identified information. If so, then the use or disclosure is not necessary.
It is not sufficient that an agency simply believes the threat exists. It must believe that the use or disclosure of personal information is necessary to lessen or prevent that threat. The following questions will assist agencies in making that determination:
- Is the use or disclosure motivated by an intention to lessen or prevent the threat?
- Is the personal information being used or disclosed relevant to managing the threat?
- When disclosed, is the recipient in a position to act on the information to lessen or prevent the harm from eventuating?
- Will the proposed use or disclosure reduce the threat?
An agency should consider whether there are alternative reasonable ways to reduce the threat (for example, by seeking consent to the use or disclosure) – this helps in working out whether the disclosure is necessary.
Agencies considering using or disclosing personal information to reduce threats to public health or public safety may find it useful to discuss the threat in general terms (and whether the proposed use or disclosure is likely to reduce the threat) with a relevant authority dealing with public health or safety, for example a health agency or the Environmental Protection Agency.
Prevent or lessen
For a threat to be prevented or lessened the use or disclosure of the personal information must allow the body using or receiving it to take steps they would not otherwise have been able to take to either remove the threat entirely, or to reduce it significantly. It must be more than a mere chance of reducing it, or a ‘just in case’ measure. For example, releasing a suspected offender’s picture and details to the media would, in most circumstances, be unlikely to satisfy the requirements of IPP 11(1)(c).
If the attempt to prevent or lessen the threat is unsuccessful it will not invalidate a disclosure under this IPP, as long as the belief that using or disclosing the personal information would do so was reasonable.
The threat must be serious and it must be to an individual’s life, health, safety or welfare or public health, safety or welfare.
- It does not have to be the individual whose personal information is in contemplation who is facing the harm.
- Health includes mental health—mere stress, aggravation, or inconvenience would not constitute serious harm, however the triggering of a serious stress-related disorder could.
- For public health, safety, or welfare, this must be a real and serious threat to the general public, or a portion of it, such as an outbreak of disease, or a bushfire threatening a locality.
- The threat does not have to occur in Queensland or even in Australia. It may happen anywhere in the world. If disclosing to a jurisdiction outside Australia, the agency should be aware of the rules about transferring personal information out of Australia (see discussion in section 6 – transfer of personal information out of Queensland).
- The threat does not need to be to an identifiable person. It may be a threat of harm to be randomly inflicted, so that it is impossible to identify a specific person against whom the threat is directed.
Current as at: July 19, 2013