QPP 6 - Use or disclosure with consent

Overview

All Queensland government agencies[1] must handle personal information in accordance with the Queensland Privacy Principles (QPP) in the Information Privacy Act 2009 (Qld) (IP Act).

This guideline is based on and includes material from the Australian Privacy Principle guidelines developed by the Office of the Australian Information Commissioner.

What is personal information?

Section 12 of the IP Act provides that personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether it's true or recorded in a material format.

The individual does not need to be directly identified in the information for it to be personal information. It is sufficient if they can reasonably be identified by reference to other information.

The personal information of one individual may also be the personal information of other individuals. OIC refers to this as mutual personal information, and examples include a marriage certificate, which contains personal information of both parties to a marriage, or a vocational reference that includes personal information about both the author and the subject of the reference.

Refer to Key privacy concepts – personal and sensitive information for more information.

Use and disclosure

An agency can use and disclose personal information for the reason it was collected (the primary purpose). An agency can only use or disclose personal information for a secondary purpose as set out in QPP 6.

Use and disclosure are both defined in the IP Act. Refer to Key privacy concepts – use and disclosure for more information.

QPP 6 – Use or disclosure with consent

Under QPP 6.1(a), an agency can use or disclose personal information for a secondary purpose if the individual consents.

Consent

Certain things must be present for agreement to be valid. The individual must have the capacity to agree and their agreement must be:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific, and
  • the individual has the capacity to understand and communicate their consent.

Whether these factors can be met will depend on the specific circumstances and the nature of the information and the individual.

For the QPPs, consent includes implied consent. As a general rule, an agency should seek express consent. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the agency.

The more sensitive the personal information, or the more privacy invasive the use or disclosure, the more important it is to have express agreement. It is a risk to agencies to rely on implied agreement.

Agencies cannot:

  • assume that an individual has consented to a use or disclosure just because it appears advantageous to them; or
  • establish implied consent by stating that if the individual knew about the benefits of the use or disclosure, they would probably consent to it.

Refer to Key privacy concepts – consent for more information.

Opting in versus opting out

Agreement can be sought in two ways.  An agency can:

  • ask an individual if they agree to their information being used or disclosed (opt in); or
  • tell an individual that they are going to use or disclose their information unless the individual tells them not to (opt out).

Use of an opt-out mechanism to infer an individual’s consent will only be appropriate in limited circumstances, as the individual’s intention in failing to opt-out may be ambiguous. Where an individual is provided with an option to opt out, such as a box to tick, there may be a question of whether they chose not to tick it because they agreed, or because they did not see it or did not understand it, or because they never received the document containing it.

An agency will be in a better position to establish the individual’s consent when using an opt out mechanism where:

  • the opt out option was clearly and prominently presented
  • it is likely that the individual received and read the information about the proposed use or disclosure, and the option to opt out
  • the individual was given information on the implications of not opting out
  • the opt out option was freely available and not bundled with other purposes
  • it was easy for the individual to exercise the option to opt out, for example, there was little or no financial cost or effort required by the individual
  • the consequences of failing to opt out are not serious.

If an agency chooses to use an opt out method of obtaining agreement, they should take a great deal of care to ensure that they don’t breach QPP 6 when they rely on it. The more sensitive the information and the more widespread the use or disclosure, the less appropriate it will be to rely on an opt out method.

Consent compared with notice

Obtaining an individual’s consent is not the same as providing information or a notice under QPP 5.

When an agency gives a notice or information under QPP 5 it is telling the individual what will happen with their personal information, ie what it will be used for and how it will be disclosed.

When an agency seeks an individual’s consent it is asking for their permission to use or disclose their information for the secondary purpose.

An agency can ask for consent at the same time it provides the QPP 5 information, but it must take care not to confuse the two processes.

  • 1 References to an agency in this guideline include a Minister, bound contracted service provider, or other entity required to comply with the QPPs.

Current as at: July 1, 2025