Privacy and sharing information between agencies

Practice Note – Information Privacy Act 2009

This practice note is intended to assist agencies1 who wish to share information with another Queensland agency, with particular reference to personal information.2  It includes three checklists that highlight the privacy issues most likely to be relevant to information sharing, together with a flow chart.

Agencies have privacy obligations under the Information Privacy Act 2009 (IP Act). In most instances, these will not prevent personal information from being shared between agencies. Agencies do however need to consider their privacy obligations before deciding what, to whom and how personal information is to be shared.

The benefits of intra-agency information sharing

Government delivers its services to the community through individual agencies and a responsible Minister, with each agency often operating under specific legislation for specific purposes.

In order for Government to effectively and efficiently target its resources, support and services, agencies often need to share information. This may include sharing some of the personal information they hold with other agencies.

Privacy and personal information sharing  

The IP Act contains privacy principles which apply to all government agencies and sets out how personal information must be managed. These principles support the flow of personal information where it is necessary or directly related to fulfil the function, or activity of the agency.

Agencies proposing to share information should consider at the outset developing an information sharing policy, plan or guide that builds in compliance with the privacy principles, including the obligations concerning the disclosure of personal information.  This measure will safeguard the agency against breaches of the privacy principles.

A failure to comply with the privacy principles can have a number of unfavourable outcomes. Privacy breaches may cause distress and detriment to affected individuals and erode community trust and goodwill. If individuals remain unsatisfied they may make a complaint to the OIC and may subsequently take action against the agency in the Queensland Civil and Administrative Tribunal (QCAT). These outcomes can be costly and time consuming for all parties.

Issues to consider

Firstly, agencies need to consider whether all or part of the information they intend to share is personal information.  If the information being shared is not personal information the privacy principles are not relevant.

The IP Act does not override the provisions of other legislation which limit or prohibit information sharing.3

What is personal information?

Personal information is defined very broadly in the IP Act4. It includes any information or opinion in any form, whether true or not, about a natural living person who is or can be identified. 

Examples of personal information include:

  • date and place of birth
  • residential address and phone number
  • financial, criminal or medical history
  • political and religious beliefs; and
  • employment information.  

What is the purpose for the sharing of the information?

Agencies must have a clear purpose for sharing information. It may assist agencies to document the sharing process including setting out information as to:

  • What is the sharing meant to achieve?
  • What personal information needs to be shared?
  • Could the desired outcome be achieved in another way?
  • Has the agency assessed the benefits against the potential privacy risks to individuals?
  • Who in each agency will be involved in the sharing – before, during and after? Generally, only persons who need to be involved in the process or the subsequent use of the personal information should have access to the shared information.
  • What is being shared – is some of the shared information sensitive or subject to specific security considerations?
  • What is the timeframe for the sharing – is it a one-off exercise or an ongoing arrangement?
  • What is the method for sharing? This can vary from paper records and/or digital records being transferred and stored in the cloud; to circumscribed or restricted access to an agency’s database.
  • Is the sharing subject to audit or monitoring arrangements to ensure that the proposed objective is being/has been met and that only designated persons are involved in the process?
  • Is there a timeframe for review of any longer term sharing arrangement?
  • Is a privacy impact assessment necessary? Has a privacy impact assessment been undertaken?  

Agencies should consider making this documentation publicly available as part of communications strategy informing the community about the information sharing.

The checklists in Appendices 1-3 (PDF, 347.85 KB) and the flowchart in Appendix 4 (PDF, 347.85 KB) will assist agencies in answering these questions, developing a business case, and ensuring that all aspects of the information sharing activity are compliant with the privacy principles.

For additional information and assistance please refer to the OIC’s guidelines, or contact the Enquiries Service on 07 3234 7373 or email enquiries@oic.qld.gov.au.

[1] This guideline does not apply to health agencies. Health agencies have different privacy obligations under the IP Act, which are addressed in a separate guideline: Privacy and Information Sharing between Health Agencies
[2] Agencies intending to share information with entities that are not agencies under the IP Act (eg companies, Commonwealth government, other State governments) must ensure they satisfy the obligations in Chapter 2, Part 4 of the IP Act. 
[3] The agency needs to consider whether other legislation prohibits or limits the sharing of information.
[4] Section 12 of the IP Act.