Health agencies1 are required to comply with the National Privacy Principles (NPPs), and all other agencies2 with the Information Privacy Principles (IPPs), in the Information Privacy Act 2009 (Qld) (IP Act).
In this guide, health agencies and other agencies are collectively referred to as agencies, unless their obligations differ. Where they have different obligations under their respective privacy principles they are referred to as health agencies and non-health agencies.
Under IPP 10 and NPP 2 an agency can only use personal information3 for the reason it was collected unless one of the exceptions applies. Under IPP 11 and NPP 2, an agency cannot disclose personal information outside the agency unless one of the exceptions applies.
The exceptions include that the individual has, for IPP 10(1)(a) and 11(1)(b), agreed, or, for NPP 2(1)(b), consented, to the use or disclosure.
It is important to note that the privacy principles do not authorise the disclosure of personal information. Rather, they mean that an agency legitimately disclosing personal information under IPP 11(1) or NPP 2(1) does not breach those privacy principles and can rely on them as a defence to a privacy complaint.
In addition, the privacy principles do not override provisions of other Acts that prohibit the disclosure of personal information, for example confidentiality provisions like those contained in the Hospital and Health Boards Act 2012 or the Child Protection Act 1999.
The privacy principles
(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(a) the individual the subject of the personal information has expressly or impliedly agreed to the use of the information for other purpose
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(b) the individual has expressly or impliedly agreed to the disclosure;
(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—
(b) the individual has consented to the use or disclosure;
Agreement and consent
The IPPs refer to agreement and the NPPs refer to consent, but these are similar enough that they can be explained together—this guideline will refer to agreement for both.
Certain things must be present for agreement to be valid. The individual must have the capacity to agree and their agreement must be:
- specific; and
Whether these factors can be met will depend on the specific circumstances and the nature of the information and the individual.
Agreement includes implied agreement. As a general rule, an agency should always seek express agreement. The more sensitive the personal information, or the more privacy invasive the use or disclosure, the more important it is to have express agreement. It is a risk to agencies to rely on implied agreement.
Key privacy concepts – agreement and consent explains the issues relating to agreement in detail.
Agencies should also refer to this guideline when applying these privacy principles.
Agreement compared with notice
Agreement is different from notice. Under IPP 2 /NPP 1, agencies give collection notices when they ask an individual for their information. These notices explain how the agency will use and disclose the information.
Collection notices do not ask for the individual’s agreement to use or disclose their personal information in those ways. They tell the individual that this is what the agency will do with their information.
While an agency may seek agreement at the same time it gives a collection notice, it is important not to confuse the two processes.
Opting in versus opting out
Agreement can be sought in two ways. An agency can:
- ask an individual if they agree to their information being disclosed, or
- an agency can tell an individual that they are going to disclose their information unless the individual tells them not to.
As a general rule, opting in is preferable to opting out. Opt out options can raise questions of whether the agreement was validly given. Where an individual is provided with an option to opt out, such as a box to tick, there may be a question of whether they chose not to tick it because they agreed, or because they did not see it or did not understand it, or because they never received the document containing it.
If an agency chooses to use an opt out method of obtaining agreement, they should take a great deal of care to ensure that they don’t breach IPP 11/NPP2 when they rely on it. The more sensitive the information and the more widespread the disclosure, the less appropriate it will be to rely on an opt out method.
- 1 In this guideline, health agency includes a bound contracted service provider to a health agency.
- 2 In this guideline, agency includes Ministers and bound contracted service providers to the agency.
- 3 Any information or opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Current as at: September 20, 2019