Agencies are required to comply with the Information Privacy Principles (IPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
IPP 10 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies.
IPP 11 provides that personal information must not be disclosed outside the holding agency unless one of the exceptions applies.
One of the exceptions to both IPP 10 and IPP 11 is that the individual has agreed to the use or the disclosure.
Use and disclosure with agreement
(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(a) the individual the subject of the personal information has expressly or impliedly agreed to the use of the information for other purpose
(1) An agency having control of a document containing an individual's personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information unless—
(b) the individual has expressly or impliedly agreed to the disclosure
‘Agreement’ is discussed in Key privacy concepts – agreement and consent in more detail. It is important that it be read in conjunction with this guideline.
Agreement is one of the exceptions to the basic rule that the primary purpose of collection limits the use and disclosure of personal information. Where an individual has given valid agreement to an agency using the personal information for other purposes or disclosing it, even if these are incompatible with or unrelated to the initial purpose of collection, the agency is free to do so.
Agreement compared with notice
It is important that agencies remember that agreement is different from notice given under IPP 2. When an individual has been given a collection notice that sets out the uses and disclosures an agency intends, and that individual then provides the information that is not agreement to what the agency has set out in the notice. An agency is not asking for agreement when it provides a collection notice; it is setting out what it will do with the information.
While an agency may seek agreement at the same time it provides a collection notice, the two processes should not be confused.
Opting in versus opting out
Agreement can be sought in two ways. An agency can:
- ask an individual if they agree to their information being disclosed, or
- tell an individual that they are going to disclose their information unless the individual tells them not to.
As a general rule, the first method – opting in – is preferable to the second – opting out. Opt out options can raise questions of whether the agreement was validly given. Where an individual is provided with an option to opt out, such as a box to tick, there may be a question of whether they chose not to tick it because they agreed, or because they did not see it or did not understand it, or because they never received the document containing it.
If an agency chooses to use an opt out method of obtaining agreement, they should take a great deal of care to ensure that they don’t breach IPP 11 when they rely on it. The more sensitive the information and the more widespread the disclosure, the less appropriate it will be to rely on an opt out method
Current as at: July 19, 2013