All Queensland government agencies1 must handle personal information in accordance with the Queensland Privacy Principles (QPP) in the Information Privacy Act 2009 (Qld) (IP Act).
This guideline is based on and includes material from the Australian Privacy Principle guidelines developed by the Office of the Australian Information Commissioner.
Section 12 of the IP Act provides that personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether it's true or recorded in a material format.
The individual does not need to be directly identified in the information for it to be personal information. It is sufficient if they can reasonably be identified by reference to other information.
The personal information of one individual may also be the personal information of other individuals. OIC refers to this as mutual personal information, and examples include a marriage certificate, which contains personal information of both parties to a marriage, or a vocational reference that includes personal information about both the author and the subject of the reference.
Sensitive information is a category of personal information defined in schedule 5 of the IP Act.
Refer to Key privacy concepts – sensitive and personal information for more information.
An agency cannot collect sensitive information without consent unless one of the exceptions in QPP 3.4 applies.
Refer to QPP 3 – collection of personal information for more information.
An agency can use and disclose personal information for the reason it was collected (the primary purpose). An agency can only use or disclose personal information for a secondary purpose as set out in QPP 6.
Use and disclosure are both defined in the IP Act. Refer to Key privacy concepts – use and disclosure for more information.
Under QPP 3.4 an agency can collect sensitive information without consent, and under QPP 6.2(c) an agency can use or disclose personal information for a secondary purpose, if a permitted general situation applies. The permitted general situations are listed in schedule 4, part 1 of the IP Act.
An agency can collect sensitive information, or use and disclose personal information, to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, but only if it is unreasonable or impracticable to obtain the individual’s consent.2
Under the IP Act, consent can be express or implied. Refer to Key privacy concepts – consent for information about what constitutes valid consent under the QPPs.
Before collecting sensitive information, or using or disclosing personal information, to prevent a serious threat, agencies must identify a clear reason why it is unreasonable or impracticable to obtain the individual’s consent. Relevant considerations include:
Agencies also need to consider whether the individual has capacity to give consent. Without capacity, an individual cannot consent, therefore it will generally be unreasonable or impracticable to obtain their consent.
However, if the individual has a nominated a guardian or representative empowered to consent on their behalf, agencies should consider whether it is impracticable or unreasonable to seek that person’s consent.
The threat the agency is trying to lessen or prevent by collecting, using or disclosing the information must be serious and it must be to an individual’s life, health, or safety or to public health or safety.
The likelihood of the threat occurring as well as the consequences if it materialises are both relevant when deciding if a threat is serious. A threat that could have dire consequences but is highly unlikely to occur would not generally constitute a serious threat. However, a potentially harmful threat that is likely to occur, but at an uncertain time, may be a serious threat, such as a threatened outbreak of infectious disease. This allows agencies to take preventative action to stop a serious threat from escalating before it materialises.
The individual whose personal information is being considered does not have to be the one facing the harm and the threat does not need to be to an identifiable person. It may be a threat of harm to be randomly inflicted, or inflicted on a class of people, so that it is impossible to identify a specific person against whom the threat is directed.
Health includes mental health—mere stress, aggravation, or inconvenience would not constitute serious harm, however the triggering of a serious stress-related disorder could. For public health or safety—this must be a real and serious threat to the general public, or a portion of it, such as an outbreak of disease, or a bushfire threatening a locality.
The threat does not have to occur in Queensland or even in Australia. It may happen anywhere in the world.
Agencies must reasonably believe that the collection, use or disclosure will prevent or lessen the threat. This will generally require a sufficient link between the collection, use or disclosure of the information and the prevention or lessening of the threat.
In the case of a disclosure, it would normally be to another agency or body with the capacity and authority to reduce or prevent the threat.
Generally, this exception should be used in emergency or extraordinary situations and not to justify regular or ongoing disclosures. However, in some circumstances this may be appropriate, depending on the nature of the threat and the sensitivity of the information. For example, a local council might provide information to the Rural Bushfire Brigade so that the Brigade can prepare local landholders for bushfire season.
However, if an agency expects that disclosures of this kind will be regular and ongoing, it must include it in their QPP 5 notice. See QPP 5 – What agencies must tell people when collecting personal information for more information.
Part of deciding if the collection, use or disclosure is necessary involves making an assessment about whether the harm can be lessened or prevented without the information, eg by de-identifying information before disclosure or collection de-identified information. If so, then the collection, use or disclosure is not necessary.
It is not sufficient that an agency simply believes the threat exists. It must believe that the collection, use or disclosure of information is necessary to lessen or prevent that threat. The following questions will assist agencies in making that determination:
Agencies considering collecting, using or disclosing information to reduce threats to public health or public safety may find it useful to discuss the threat in general terms (and whether the proposed collection, use or disclosure is likely to reduce the threat) with a relevant authority dealing with public health or safety, for example a health agency or the agency responsible for environmental health.
For a threat to be prevented or lessened the collection, use or disclosure of information must allow the body collecting, using or receiving it to take steps they would not otherwise have been able to take to either remove reduce it. It must be more than a mere chance of reducing it, or a ‘just in case’ measure. For example, releasing a suspected offender’s picture and details to the media would, in most circumstances, be unlikely to satisfy these requirements.
If the attempt to prevent or lessen the threat is unsuccessful it will not invalidate the collection, use or disclosure, as long as the belief that collecting, using or disclosing the information would do so was reasonable.
Current as at: July 1, 2025