Queensland Bills Explanatory Notes Queensland Bills Explanatory Notes[Index] [Search] [Download] [Bill] [Help]
Information Privacy Bill 2009
Information Privacy Bill 2009
Explanatory Notes
Short Title
The short title of the Bill is the Information Privacy Bill 2009.
Objectives of the Bill
The primary objectives of the Bill are to provide for the fair collection and
handling of personal information in the public sector and to provide a right
for individuals to access and amend their personal information held by
public sector entities.
Reasons for the Bill
In September 2007, the Premier of Queensland commissioned an
independent panel, chaired by Dr David Solomon AM, to undertake a
comprehensive review of Queensland's freedom of information legislation.
The resulting report, The Right to Information: Reviewing Queensland's
Freedom of Information Act (the Solomon Report), delivered in June 2008,
proposed a rethink of the framework for access to information in
Queensland.
The report contained 141 recommendations for information policy and
legislation reform, including that there be a new legislative framework for
access to information, namely:
· a Right to Information Act, with a clearly stated object of
providing a right of access to information held by government
unless, on balance, it is contrary to the public interest to provide
that information; and
· privacy legislation, to provide access and amendment rights for
personal information, in addition to privacy obligations in
relation to the collection and handling of personal information in
the public sector.
Page 1
Information Privacy Bill 2009
The Government response to the Solomon Report supported in full, in part,
or in-principle all but two of the report's recommendations and committed
to the introduction of new legislation by mid-2009. The Right to
Information Bill 2009 and the Information Privacy Bill 2009 give
legislative effect to the Government's response to the Solomon Report.
Achievement of the objectives
The Bill achieves the policy objectives by:
· providing a mechanism by which individuals can access and
amend their own personal information held by relevant public
sector agencies;
· setting out the privacy principles to which public sector agencies
must adhere by codifying, with minor amendments, the current
administrative privacy regime provided for in Information
Standard 42: Information Privacy (IS42) and Information
Standard 42A: Information Privacy for the Queensland
Department of Health (IS42A); and
· establishing the role of Privacy Commissioner (as a deputy to the
Information Commissioner).
Access and amendment of personal information
The Bill has been developed in conjunction with the Right to Information
Bill and provides for consistent procedural requirements for applications to
access and amend personal information. To facilitate this process,
applications will be able to be transferred to the Right to Information Bill if
an application is expressed to be for information other than the applicant's
own personal information upon payment of the application fee.
As chapter 3 of the Bill transfers existing access and amendment rights
currently provided under the Freedom of Information Act 1992, the scope
of chapter 3 reflects the Right to Information Bill. This includes
departments, local governments, public authorities and certain government
owned corporations and their subsidiaries.
Applicants will be provided with rights of internal and external review of
access and amendment decisions consistent with the Right to Information
Bill. The Information Commissioner may refer questions of law to the
Supreme Court or the proposed Queensland Civil and Administrative
Tribunal (QCAT) and applicants may appeal to QCAT on questions of law
Page 2
Information Privacy Bill 2009
following commencement of operations of QCAT, proposed for December
2009.
Privacy principles
The obligation to comply with privacy principles will apply to Ministers
(including Parliamentary Secretaries) in their official capacity, departments
and public authorities. The privacy principles will apply to local
governments one year after commencement of the Bill, in view of the fact
that councils are not currently subject to privacy regulation and will
therefore require a transitional period within which to ensure compliance
with the legislation. Where an agency contracts with a service provider to
deliver services on the agency's behalf, the contract is required to bind the
service provider to comply with the privacy principles.
All agencies subject to the Bill, other than the Department of Health, will
be required to comply with the Information Privacy Principles set out in
schedule 3, and the Department of Health will be required to comply with the
National Privacy Principles set out in schedule 4. This maintains the current
framework of the administrative privacy regime under IS42 and IS42A. The
Government will continue to participate in consideration of uniform privacy
principles at a national level, but has determined that the current framework
should be retained pending any agreement on a nationally uniform approach
to privacy.
Privacy oversight
The Bill will vest the Information Commissioner with a range of new
powers and functions in overseeing the privacy legislation. A new Privacy
Commissioner role will be established as a deputy to the Information
Commissioner and any of the Information Commissioner's functions and
powers will be able to be delegated to the Privacy Commissioner.
The Bill will create a new right to lodge complaints where an agency has
breached its privacy obligations in relation to the individual's personal
information. The Information Commissioner must take all reasonable steps
to mediate complaints, but where mediation is unsuccessful, QCAT will
have jurisdiction to hear complaints and make orders for remedies,
including payment of compensation of up to $100,000. In order to stage
the implementation of the legislation, the complaints function will
commence concurrently with the commencement of operations of QCAT
proposed for December 2009.
Page 3
Information Privacy Bill 2009
The Information Commissioner will also be empowered to conduct reviews
of systemic privacy issues within the public sector, issue compliance
notices to agencies found in breach of the privacy principles and decide
requests to modify application of the privacy principles where there is an
overriding public interest in doing so.
As the Bill and the Right to Information Bill implement significant
reforms, both Bills provide that a review of the operation of the legislation
must commence within two years. The review will examine the practical
application of the legislation in order to identify and resolve any issues
arising during implementation.
Alternative ways of achieving objectives
An alternative option to the Bill would be to retain the existing framework
for access and amendment of personal information through the Freedom of
Information Act 1992 and maintain the administrative privacy regime.
However, the Government has indicated its clear commitment to Freedom
of Information reform and creating a new framework for access to
government information with a presumption towards disclosure. This is
only possible through legislative amendment.
It is also considered desirable for Queensland to introduce appropriate
legislative safeguards to the handling of personal information within the
public sector, consistent with the majority of other Australian jurisdictions,
through privacy legislation.
Estimated cost for government implementation
The Government is continuing to consider the financial implications of
introducing the Right to Information reforms. There will be
implementation costs for the Office of the Information Commissioner to
undertake new or expanded functions under the legislation.
Implementation of the legislation may require resources in terms of
training and changes to agency business practices, which will be met from
within existing budget allocations.
Consistency with Fundamental Legislative Principles
The Bill is generally consistent with fundamental legislative principles.
Page 4
Information Privacy Bill 2009
Does the Bill confer power to enter premises?
Consistent with the Right to Information Bill, the Bill will provide
enhanced powers of entry and search to the Information Commissioner and
entitle the Commissioner to full and free access at all reasonable times to
the records of an agency (clause 113). The exercise of these powers will be
subject to Parliamentary scrutiny and is considered essential to ensure
accountability and transparency in the administration of the Bill.
Does the Bill have sufficient regard to the rights and liberties of
individuals?
Clause 113 permits access to documents including those protected by legal
professional privilege. Clause 118(2) provides that legal professional
privilege does not apply to the production of documents or the giving of
evidence by a member of an agency or Minister for the purposes of external
review. The abrogation of the right to claim legal professional privilege is
justified as being necessary to ensure the Information Commissioner has
the ability to properly consider and determine external reviews.
Obligations are placed on the Information Commissioner and the
Commissioner's staff ensure such information is protected. Under clause
120 the Information Commissioner must ensure information or documents
provided are not disclosed other than to specified persons and documents
must be returned at the end of an external review. Additionally, under
clause 120 the Information Commissioner must make such directions
considered necessary to avoid disclosure to an access participant. Also, it
is an offence under clause 188 for the Information Commissioner or a staff
member to disclose information obtained in performance of functions
under the Bill.
The right of a person to take legal action over a wrong is an essential
common law right. The right of access to government-held information is a
cornerstone of the Bill. Under the Bill, the Information Commissioner can
make a vexatious applicant declaration which may include conditions that
prohibit a person from making an access application, internal review
application or external review application without the permission of the
Information Commissioner. The breaches of the fundamental legislative
principles are considered to be justified to prevent an applicant from
making repeated access or review applications that are vexatious in nature
and unreasonably divert public resources. The Bill provides for safeguards
against any potential loss of rights. Vexatious applicant declarations can
only be made by the Information Commissioner when satisfied that the
person has met the threshold test. It must be established that the person has
Page 5
Information Privacy Bill 2009
made repeated applications that involve an abuse of process or a manifestly
unreasonable action. The Information Commissioner cannot make a
vexatious applicant declaration until the person has the opportunity to be
heard. In addition, a person with a vexatious applicant declaration against
him or her has the opportunity to apply to the Information Commissioner to
vary or set aside the order. The Information Commissioner's declaration is
reviewable by the Queensland Civil and Administrative Tribunal.
Does the Bill confer immunity from proceedings or prosecutions?
Clauses 181 and 182 provide that in certain circumstances a person
concerned with the granting of access to a document or publication of a
document under the Bill does not commit a criminal offence. Clause 179
provides protection against actions for defamation or breach of confidence
against the State, an agency (including a Minister) or an officer where
access to a document was required or permitted by the Bill or was
authorised in the genuine belief that access was required or permitted by
the Bill. Likewise clause 180 provides protection against actions for
defamation or breach of confidence against the State, an agency, Minister,
an officer or the Information Commissioner where publication of a
document was required or permitted by the Bill. Clause 183 provides that
certain persons including an agency, Minister, an officer, a decision maker
or the Information Commissioner, incur no civil liability for acts or
omissions done or omitted to be done honestly and without negligence
under, or for the purposes of, the Bill. The liability will attach instead to
the State. It is submitted that conferral of immunity as outlined above is
appropriate for persons carrying out statutory functions.
Does the Bill have sufficient regard to the institution of Parliament?
Clause 157 provides that an agency may apply to the Information
Commissioner to waive or modify the agency's obligation to comply with the
privacy principles. Such approvals may be granted only if the Commissioner
is satisfied that there is an overriding public interest in doing so. While an
approval is in force, the agency to which it applies does not contravene the
legislation in relation to the privacy principles if it acts in accordance with the
approval. It is considered necessary that the Bill allow a mechanism for a
waiver of privacy principle obligations to provide flexibility in balancing the
interests of protection of individuals' personal information against other
emerging public interests. The waiver process is similar to public interest
determinations issued under privacy legislation in the Commonwealth,
New South Wales, Tasmania and Northern Territory.
Page 6
Information Privacy Bill 2009
To ensure that this mechanism has sufficient regard to the institution of
Parliament, the provision requires that the approval be publicly notified by
gazette notice and tabled in the Legislative Assembly. This recognises the
important role of Parliamentary scrutiny by ensuring that the notice is
subject to the possibility of disallowance by the Parliament.
Consultation
The Government released exposure drafts of the Right to Information Bill
and the Information Privacy Bill for public consultation for a period of
almost four months from 4 December 2008 until 31 March 2009. The
Premier wrote to key stakeholders, such as Government Owned
Corporations, local governments, universities and the media inviting
submissions on the Bills.
Over 40 submissions were received from stakeholders including
Government Owned Corporations, the Local Government Association of
Queensland, the Queensland Law Society, the Queensland Council for
Civil Liberties, the Office of the Federal Privacy Commissioner and the
Australian Privacy Foundation. All Government departments were also
consulted on the exposure draft Bills and during drafting of the final Bills.
All submissions received have been considered in finalising the drafting of
the Bill.
Consistency with legislation of other jurisdictions
The Bill is specific to the State of Queensland, and is not uniform with or
complementary to legislation of the Commonwealth or another state.
However, other jurisdictions, including the Commonwealth, New South
Wales and Tasmania have announced proposed reforms to their Freedom of
Information legislation which are generally consistent with Queensland's
Right to Information reforms, including providing the avenue to access and
amend personal information through privacy legislation.
The introduction of privacy legislation in Queensland will align with the
majority of other jurisdictions (the Commonwealth, New South Wales,
Victoria, Tasmania and the Northern Territory) which have existing
legislative safeguards regarding the handling of personal information in the
public sector. Consideration of proposals for the development of uniform
privacy principles will continue at a national level, but the introduction of
the Bill will provide Queensland with a legislative basis for privacy
regulation in advance of the national agenda.
Page 7
Information Privacy Bill 2009
Notes on Provisions
Chapter 1 Preliminary
Part 1 Introductory
Clause 1 establishes the short title as the Information Privacy Act 2009.
Clause 2 provides for commencement of the Bill by proclamation.
Clause 3 provides that the primary object of the Bill is to provide for:
· the fair collection and handling in the public sector environment of
personal information; and
· a right for individuals to access and amend their personal information
unless, on balance, it is contrary to the public interest to do so.
Clause 4 provides that the Bill is not intended to prevent or discourage the
giving of access to, or allowing the amendment of, documents by means
other than the Bill. The principles of the Right to Information reforms
emphasise increased proactive and administrative disclosure, with formal
application under the Bill intended to become an avenue of last resort.
Clause 5 provides that the Bill does not affect the operation of another Act
and chapter 3 does not affect an administrative scheme that requires
personal information to be made available, or enables an individual to
access or to amend their personal information. Any administrative scheme
providing access to personal information following commencement of the
Bill should comply with the privacy principles.
Clause 6 provides that the Bill applies to the collection of personal
information, regardless of when it came into existence, and to the storage,
handling, accessing, amendment, management, transfer, use and disclosure
of personal information regardless of when it was collected.
Clause 7 provides that the provisions of chapter 3 relating to access and
amendment applications override the provisions of other Acts (except for
Page 8
Information Privacy Bill 2009
the Right to Information Bill) prohibiting the disclosure of personal
information. Subject to this, subclause (2) provides that the Bill is intended
to operate subject to the provisions of other Acts relating to the collection,
storage, handling, accessing, amendment, management, transfer, use and
disclosure of personal information.
Clause 8 provides that the Bill does not affect the provisions of other Acts
regulating the disposal of information such as the Public Records Act 2002.
Clause 9 describes the relationship of the Bill to the Right to Information
Bill. If an application is made under this Bill which requests access to
information other than the applicant's personal information, then clause 54
of the Bill will apply and the application will be dealt with under the Right
to Information Bill upon payment of the application fee.
Clause 10 provides that the Bill binds the State.
Part 2 Interpretation
Clause 11 provides that schedule 5 defines particular words used in the
Bill.
Clause 12 sets out the meaning of "personal information", which is
consistent with the definition contained in the Privacy Act 1988 (Cth).
Clause 13 sets out the meaning of "document" of an agency for chapter 3,
which is the same as a document of an agency under the Right to
Information Bill.
Clause 14 sets out the meaning of "document" of a Minister for chapter 3,
which is the same as a document of a Minister under the Right to
Information Bill.
Clause 15 sets out the meaning of "document" otherwise, for the purposes
of application of the privacy principles and related provisions.
Clause 16 defines a "document to which the privacy principles do not
apply" as the documents listed in schedule 1 of the Bill.
Clause 17 defines an "agency" for chapter 3 which is the same as an
agency under the Right to Information Bill.
Page 9
Information Privacy Bill 2009
Clause 18 defines an "agency" for the purposes of application of the
privacy principles and related provisions as being a Minister, a department,
a local government or a public authority, but not including an entity listed
in schedule 2. However, clause 202 of the Bill provides for delayed
application to local government for a period of one year after
commencement.
Clause 19 defines "entity to which the privacy principles do not apply" as
the entities listed in schedule 2 of the Bill.
Clause 20 provides that the Bill, other than chapter 3, applies to a Minister
only in relation to the Minister's capacity as a Minister in relation to the
affairs of an agency.
Clause 21 sets out the meaning of "public authority".
Clause 22 sets out the meaning of "processing period" and "transfer
period" for chapter 3.
Clause 23 defines what it means to "disclose" and "use" personal
information for the purposes of the privacy principles.
Clause 24 defines "control" of a document for the purposes of the privacy
principles.
Clause 25 explains references in the Bill to the Information Privacy
Principles (IPPs) contained in schedule 3 of the Bill and the National
Privacy Principles (NPPs) contained in schedule 4 of the Bill.
Chapter 2 Privacy principles
Part 1 Compliance with IPPs by
agencies
Clause 26 refers to schedule 3, which sets out the IPPs.
Clause 27 provides that an agency, other than the Department of Health,
must comply with the IPPs. Subclause (2) provides that an agency must
not do something that contravenes or is otherwise inconsistent with an IPP
Page 10
Information Privacy Bill 2009
and must not fail to do something if the failure contravenes or is otherwise
inconsistent with an IPP. Subclause (3) provides that the requirements of
this clause apply to any act or practice relating to the agency's collection,
storage, handling, accessing, amendment, management, transfer, use or
disclosure of personal information.
Clause 28 provides that an agency is not required to comply with IPP 8, 9,
10 or 11 in relation to information connected to an individual's personal
information which has previously been published to the public by the
individual concerned.
Clause 29 sets out when a law enforcement agency, including the
Queensland Police Service and the Crime and Misconduct Commission,
may be satisfied on reasonable grounds that non-compliance with IPP 2, 3,
9 , 10 or 11 is necessary.
Part 2 Compliance with NPPs
Clause 30 refers to schedule 4, which sets out the NPPs. Carrying over
from IS42A, the NPPs, rather than IPPs, apply to the Department of Health
to account for the unique nature of personal information in the health
context and to provide greater consistency with national arrangements that
apply to the health sector across Australia.
Clause 31 provides that the Department of Health must comply with the
NPPs. Subclause (2) provides that the Department of Health must not do
something that contravenes or is otherwise inconsistent with an NPP and
must not fail to do something if the failure contravenes or is otherwise
inconsistent with an NPP. Subclause (3) provides that the requirements of
this clause apply to any act or practice relating to the department's
collection, storage, handling, accessing, amendment, management,
transfer, use or disclosure of personal information.
Clause 32 provides that the Department of Health is not required to comply
with NPP 2, 3 or 9(4) in relation to information connected to an
individual's personal information which has previously been published to
the public by the individual concerned.
Page 11
Information Privacy Bill 2009
Part 3 Transfer of personal information
outside Australia
Clause 33 sets out the circumstances where an agency may transfer an
individual's personal information to an entity outside Australia.
Part 4 Compliance with parts 1 to 3 by
contracted service providers
Clause 34 defines "service arrangement" for the purposes of this part as a
contract or other arrangement for services entered into after the
commencement of the Bill. Subclause (2) provides that the services must
be for the purposes of the performance of one or more of the contracting
agency's functions, the services must be provided either directly to the
contracting agency or to another entity on the contracting entity's behalf,
and not be provided in the capacity of an employee.
Clause 35 provides that an agency entering into a service arrangement with
a contracted service provider must take all reasonable steps to ensure that,
under the arrangement, the contracted service provider is required to
comply with the IPPs or NPPs and with part 3 (Transfer of personal
information outside Australia). This is subject to the qualifications in
subclauses (2) and (3).
Clause 36 provides that a bound contracted service provider under a
service arrangement must comply with the IPPs or NPPs and with part 3
(Transfer of personal information outside Australia) in relation to the
discharge of its obligations under the arrangement as if it were the
contracting agency. Subclause (2) states that this obligation continues to
apply to bound contracted service providers after the service arrangement
ends. Subclause (3) provides that a bound contracted service provider's
compliance may be enforced under the Bill as if it were an agency.
Clause 37 provides that if the contracting agency did not take the steps
required of it under clause 35, the obligations that would have attached to
the bound contracted service provider instead attach to the contracting
agency.
Page 12
Information Privacy Bill 2009
Part 5 Provision of information to
Ministers
Clause 38 provides that an agency does not contravene the requirement
under the Bill that it comply with the IPPs or the NPPs only because it
gives personal information to a Minister to inform the Minister about
matters relevant to the Minister's responsibilities in relation to the agency.
Part 6 Miscellaneous
Clause 39 provides that, except as provided for under procedures set out in
the Bill, an obligation imposed on an entity under part 1, 2 or 3 does not
give rise to any civil cause of action or operate to create in any person any
legal right enforceable in a court or tribunal.
Chapter 3 Disclosure and amendment
by application under this Act
Part 1 Right to access and amendment
Clause 40 provides that, subject to the Bill, a person has a right to be given
access to documents of an agency and documents of a Minister to the
extent the documents contain the individual's personal information. The
rights and the manner in which these rights may be exercised are set out in
the Bill. An application may be made for documents which came into
existence before the commencement of the Bill, although the application
will be taken to apply only to documents in existence on the day the
application is received.
Page 13
Information Privacy Bill 2009
Clause 41 provides that, subject to the Bill, a person has a right to amend, if
inaccurate, incomplete, out-of-date or misleading, documents of an agency
and documents of a Minister to the extent the documents contain the
individual's personal information. The rights and the manner in which
these rights may be exercised are set out in the Bill. An application may be
made in relation to documents regardless of when they were created.
Clause 42 provides that personal information may be accessed other than
by application under this chapter and provides examples of such access.
Part 2 Access and amendment
applications
Clause 43 sets out the application requirements for an individual who
wishes to obtain access to a document of an agency or document of a
Minister to the extent the document contains the individual's personal
information, including the requirements to make the application in the
approved form and provide sufficient evidence of identity or authorisation
to act as an agent.
Clause 44 sets out the application requirements for an individual who
wishes to amend personal information contained in a document of an
agency or a document of a Minister because the individual claims the
information is inaccurate, incomplete, out-of-date or misleading. The
requirements include requirements to make the application in the approved
form and provide sufficient evidence of identity or authorisation to act as
an agent.
Clause 45 provides particular requirements for access or amendment
applications made by a parent on behalf of a child.
Clause 46 provides that access or amendment applications may not be
made or transferred to the Information Commissioner, the RTI
Commissioner or the Privacy Commissioner unless it is an application to
the Information Commissioner in relation to personal information of the
staff of the Office of the Information Commissioner.
Clause 47 provides that an access application is taken only to apply to
documents that are or may be in existence on the day the application is
received. A document created after receipt of an application but before
Page 14
Information Privacy Bill 2009
notification of the decision on the application may nevertheless be
disclosed to an applicant. No access charge applies and no review rights
apply in relation to access to such a document.
Clause 48 provides that an access application is taken not to be for
metadata unless specifically requested. Access to metadata does not need
to be provided unless it is reasonably practicable. The clause also provides
an inclusive definition of metadata.
Clause 49 provides that an access application does not require an agency or
Minister to search for a document in a backup system. This does not
preclude an agency or Minister from searching a backup system for a
document if considered appropriate. "Backup system" is defined in the
dictionary in schedule 5 to the Bill.
Part 3 Dealing with application
Division 1 Decision maker
Clause 50 requires that a principal officer of an agency is to deal with
access or amendment applications to the agency. However, the principal
officer may delegate to an officer within that agency or, except in the case
of a local government, to the principal officer of another agency upon
agreement. The second principal officer may subdelegate that decision
making power. The clause further provides that decisions on applications
for access to healthcare information of the applicant may only be delegated
to an appropriately qualified healthcare professional.
Clause 51 sets out which persons are to deal with applications received by
Ministers. An application may be dealt with by the person the Minister
directs either generally or in a particular case. The clause further provides
that decisions on applications for access to healthcare information of the
applicant may only be delegated to an appropriately qualified healthcare
professional.
Page 15
Information Privacy Bill 2009
Division 2 Preliminary contact with applicant
Clause 52 deals with the circumstance where an access or amendment
application is received and the entity decides that the application is outside
the scope of the Bill because:
· the document is not a document of an agency for this chapter;
· the entity is not an agency for this chapter;
· the application is made to the Information Commissioner, RTI
Commissioner or Privacy Commissioner.
Within 10 business days after the application is received, the entity is to
give written notice to the applicant of the decision that the application is
out of scope.
Clause 53 deals with the circumstance where an access or amendment
application is made, but it does not comply with the application
requirements. The agency or Minister must make reasonable efforts to
contact the applicant within 15 business days after the application is
received to inform the applicant of what requirements have not been met.
If, after giving the applicant a reasonable opportunity to consult to remedy
the application, the agency or Minister decides that the application is not
valid, it must give prescribed written notice of this decision within 10 days.
If the application requirements are met, the application is taken to be valid.
Clause 54 applies if, on its face, an access application purportedly made
under this Bill should have been made under the Right to Information Bill
because the application is for access to a document other than to the extent
it contains the applicant's personal information. The agency or Minister
must make reasonable efforts to contact the applicant within 15 business
days after the application is received and inform the applicant that--
· the application is not an application that can be made under this Bill;
and
· the application could have been made under the Right to Information
Bill upon payment of the application fee payable under that Bill; and
· the applicant may consult with the agency or Minister with a view to
making an application under this Bill by changing the application; or
having the application dealt with under the Right to Information Bill
by paying the application fee.
Page 16
Information Privacy Bill 2009
An agency or Minister must not refuse to deal with an application
purportedly made under this Bill without first giving the applicant a
reasonable opportunity to consult. If the application fee is paid, the
applicant is taken to have made the application under the Right to
Information Bill on the date of the payment. If, after the opportunity to
consult is given and any consultation happens, the applicant does not either
change the application, or pay the fee:
· the applicant is taken to have confirmed the application as an
application made under this Bill; and
· the agency or Minister must again consider whether the application is
an application that can be made under this Bill and, within 10 days of
deciding that matter, give the applicant prescribed written notice of
the decision.
Clause 55 provides for extensions of the processing period. At any time
before the processing period expires, the agency or Minister may ask the
applicant for further time to consider the application. An agency or
Minister may continue to consider an application with a view to making a
considered decision, only if the agency or Minister has requested an
extension to the processing period, and the applicant has not refused the
request or notified the agency or Minister that he or she has applied for
review. Additional requests for further time to consider the application
may be made in the same manner. If a decision is subsequently made, it
replaces any decision that would have been deemed to be made as a
consequence of not deciding the application within the processing period.
Division 3 Contact with relevant third party
Clause 56 sets out the process of consultation with relevant third parties
(governments, agencies or persons) where disclosure of information could
reasonably be expected to be of concern. Consultation must be undertaken
to obtain the views of the third party about whether documents may fall
outside the scope of the Bill, or whether information may be exempt or
contrary to the public interest to disclose.
Where the agency or Minister considers, contrary to the views of the third
party, that the information may be released, the agency or Minister is to
inform the third party and the applicant of this decision. The third party is
informed of the rights of review under the Bill and the agency or Minister
Page 17
Information Privacy Bill 2009
must defer access to the document until review rights have either expired or
are exhausted.
Division 4 Transfers
Clause 57 provides for the transfer of access or amendment applications
where the transferee agency, to the transferor agency's knowledge,
possesses the document sought and where the transferee agency consents to
the transfer.
Part 4 Refusal to deal with access or
amendment application
Clause 58 sets out the Parliament's intention that access or amendment
applications should be dealt with unless it would not be in the public
interest. Despite the circumstances in which it is considered not to be in
the public interest to deal with an application as set out in this part, an
agency or Minister may deal with the application in accordance with the
Parliament's stated pro-disclosure bias.
Clause 59 provides the grounds on which an agency or Minister may refuse
to deal with an access application where all documents applied for are
stated to and appear to be comprised of exempt information.
Clause 60 provides that an agency or Minister may refuse to deal with an
access or amendment application for the reason of its effect on the agency's
or Minister's functions. The clause lists factors to which the agency or
Minister may have regard, and factors to which the agency or Minister may
not have regard, in deciding to refuse to deal with an application on this
basis. The agency or Minister must give the applicant written notice of the
decision to refuse to deal with the application.
Clause 61 requires that, prior to refusing to deal with an access application
under the preceding clause, the applicant must be provided with an
opportunity to consult with the agency or Minister with a view to making
the application in a form which would remove the ground for refusal. The
applicant is to confirm or amend the application within the consultation
Page 18
Information Privacy Bill 2009
period (10 business days or longer by mutual agreement), or the application
will be taken to have been withdrawn.
Clause 62 provides for the situation where an application is for the same
document or documents sought by the applicant under an earlier
application. The agency or Minister may refuse to deal with the later
application where the application does not reveal any reasonable basis for
seeking the document again. The clause outlines the circumstances in
which the agency or Minister can refuse to deal with the later application.
Clause 63 provides for the situation where an application for amendment
relates to the same amendment sought by the applicant under an earlier
application. The agency or Minister may refuse to deal with the later
application for amendment where the application does not reveal any
reasonable basis for seeking amendment of the document again. The
clause outlines the circumstances in which the agency or Minister can
refuse to deal with the later application.
Part 5 Decision
Division 1 Access applications
Clause 64 expressly confirms the Parliament's intention that access should
be given to documents upon application unless disclosure would, on
balance, be contrary to the public interest. The purpose of part 5 is to assist
an agency or Minister with the assessment of the public interest. The
clause also notes that an agency or Minister has the discretion to give
access to a document even if access may be refused under this Bill.
Clause 65 provides that, on consideration of an access application, the
agency or Minister is to make a decision about whether to provide access to
a document and if access is to be given, whether any charge is payable.
These decisions are known as considered decisions. The applicant is to be
given written notice of the decision pursuant to the requirements of clause
68.
Clause 66 provides that, where an applicant has not been given written
notice of a considered decision by the last day of the processing period, the
agency or Minister is taken to have refused the application. These
Page 19
Information Privacy Bill 2009
decisions are known as deemed decisions. Written notice of a deemed
decision must be given to the applicant as soon as practicable after a
deemed decision is taken to have been made.
Clause 67 provides that an agency may refuse access to a document of the
agency and a Minister may refuse access to a document of the Minister in
the same way and to the same extent the agency or Minister could refuse
access to the document under the Right to Information Bill, clause 47
(Grounds on which access may be refused).
Clause 68 requires an agency or Minister to give written notice of a
decision to an applicant and sets out the required contents of the notice.
The notice must include where access is given, details of any charges
payable, the period of time the document may be accessed. Where access
is refused, the notice must detail the reason for refusal including, where
applicable, reasons why disclosure of the information would be contrary to
the public interest under the Right to Information Bill.
Clause 69 allows an agency or Minister to neither confirm nor deny the
existence of a document containing prescribed information. Prescribed
information is defined in the dictionary in schedule 6 as specified
categories of exempt information, or personal information the disclosure of
which would be contrary to the public interest. The agency or Minister
may give written notice of a decision under this clause.
Division 2 Amendment applications
Clause 70 provides that, on consideration of an amendment application, the
agency or Minister is to make a decision about whether amendment of a
document is permitted. This is a considered decision. The applicant is to
be given written notice of the decision pursuant to the requirements of
clause 73.
Clause 71 provides that, where an applicant has not been given written
notice of a considered decision by the last day of the processing period, the
agency or Minister is taken to have refused the application. These
decisions are known as deemed decisions. Written notice of a deemed
decision must be given to the applicant as soon as practicable after a
deemed decision is taken to have been made.
Clause 72 provides that the agency or Minister may refuse to amend a
document where the agency or Minister is not satisfied that the personal
Page 20
Information Privacy Bill 2009
information is inaccurate, incomplete, out of date or misleading; the
information sought to be amended is personal information of the applicant;
or, that an agent is suitably authorised to make the application. The agency
or Minister may also refuse to amend a document where the agency or
Minister is not satisfied that the document does not form part of a
functional record that is available for use in the ordinary performance of
the agency or Minister's functions.
Clause 73 the agency or Minister is to provide prescribed written notice to
the applicant of the decision made for the amendment application including
providing reasons where the amendment is not permitted. An agency or
Minister is not required to provide any exempt information or any contrary
to public interest information in the notice. This clause does not apply to a
deemed decision under clause 71(1).
Clause 74 provides that the agency or Minister may amend a document by
altering the personal information or notation.
Clause 75 provides that when an agency or Minister adds a notation to
personal information the notation must state how the information is
inaccurate, out of date, incomplete or misleading and, if applicable, set out
the information that is required to make it complete and up to date.
Clause 76 provides that an applicant may, by written notice, require
particular notations to be added to personal information where an agency or
Minister refuses to amend the document.
Part 6 Charging regime
Division 1 Preliminary
Clause 77 provides a definition of access charge, which is prescribed under
regulation.
Clause 78 obliges an agency or Minister to minimise any charges payable
by an applicant.
Page 21
Information Privacy Bill 2009
Division 2 Payment of charges
Clause 79 provides that prior to being given access to a document the
applicant must pay the applicable access charge for the application.
Division 3 Waiver of charges
Clause 80 provides that an access charge may only be waived as provided
under this division.
Clause 81 provides that an access charge may be waived if the agency or
Minister considers that the likely cost to the agency of estimating the
charges and receiving payment would be greater than the amount of the
charges.
Clause 82 outlines the circumstances in which an agency or Minister, at the
written request of an applicant, can waive an access charge. In the case of
an individual, the request must be accompanied by a copy of a concession
card, and the agency or Minister considers the applicant is a concession
card holder and not making the application on behalf of another person for
the purpose of avoiding a charge. The agency or Minister has discretion to
determine whether a concession card holder may be making an application
of behalf of another person for the purpose of avoiding a charge.
Part 7 Giving access
Clause 83 sets out the forms of access for a document which may be given
to the applicant. If the forms of access sought would interfere
unreasonably with the operations of the agency or the performance of the
Minister's functions, would be detrimental to the preservation of the
document or involve copyright infringement, access in the form requested
may be refused and access provided in another form. The provision does
not limit the giving of access in another form agreed to by the applicant.
However, if access is given in a form other than the form of access
requested, the charge payable cannot be greater than would have been
payable if the requested form of access was given.
Page 22
Information Privacy Bill 2009
Clause 84 provides for the time within which access may be made in the
circumstances where access has been granted. There is no entitlement to
access unless the relevant access charge has been paid. The time limit for
access is generally 40 business days from the date of the decision granting
access or any additional time allowed by the agency or Minister. Where
access is deferred, the time limit for access is 40 business days after the
applicant receives notice that access is no longer delayed or any additional
time allowed by the agency or Minister. If a person does not seek access
within the relevant time limit, the right to access under that application
ends.
Clause 85 requires that where certain personal information is intended to
be provided to an applicant or agent, the agency or Minister must first
ensure that the person who receives the information is indeed the applicant
or the agent. The type of personal information to which this clause applies
is personal information, the disclosure of which to a person other than the
applicant or agent, would on balance be contrary to public interest under
section 49 of the Right to Information Bill.
Clause 86 requires an agency or Minister to ensure that, where an
application for a child's personal information is made on behalf of a child,
that information is only received by the child's parent. Clause 45 defines
child and parent.
Clause 87 provides that access may be deferred for a reasonable period in
particular circumstances where the document must first be prepared for
release.
Clause 88 provides that an agency or Minister may delete information from
a copy of a document that is irrelevant to an application before giving the
applicant the copy of the document. This is only permissible where the
agency or Minister considers, from the application or from consultation
with the applicant, that the applicant would accept such a copy and it is
reasonably practicable to give access to the copy.
Clause 89 provides that an agency or Minister may delete information from
a copy of a document that is exempt information before giving the
applicant the copy of the document. This is only permissible where the
agency or Minister considers, from the application or from consultation
with the applicant, that the applicant would wish to be given access to such
a copy and it is reasonably practicable to give access to the copy.
Clause 90 provides that an agency or Minister may delete information from
a copy of a document that is contrary to public interest information before
Page 23
Information Privacy Bill 2009
giving the applicant the copy of the document. This is only permissible
where the agency or Minister considers, from the application or from
consultation with the applicant, that the applicant would accept such a copy
and it is reasonably practicable to give access to the copy. Contrary to
public interest information is defined in schedule 5 to the Bill.
Clause 91 provides for the circumstances where an agency or Minister has
refused access to a document that includes the personal information of the
applicant. Despite the refusal, the agency or Minister must consider giving
the person or the person's intermediary (a person nominated by the
applicant and approved by the agency or Minister) a summary of the
personal information. A summary may be provided to an intermediary on
conditions of use or disclosure agreed between the agency or Minister and
the intermediary, or between the agency or Minister, the intermediary and
the applicant. Where the summary would include information provided in
confidence to the agency or Minister by a person other than the applicant or
contains the personal information of a person other than the applicant, the
summary must not be given without consultation with and the consent of
the information giver or other person. This proviso is applicable whether
or not the summary reveals the identity of the information giver or other
person.
Clause 92 applies if a principal officer of an agency or Minister refuses
access to healthcare information under section 47 of the Right to
Information Bill. It permits a Minister or the principal officer of an agency
to direct that access to a document be given to an appropriately qualified
healthcare professional nominated by the applicant and approved by the
Minister or principal officer, rather than giving access to the applicant.
This clause applies where the document for which application is made
contains health information provided by a health professional, the
disclosure of which might be prejudicial to the physical or mental health or
wellbeing of the applicant. The nominated and approved healthcare
professional to whom the information is disclosed may decide whether or
not to disclose all or part of the health information and the way in which to
disclose.
Page 24
Information Privacy Bill 2009
Part 8 Internal review
Clause 93 provides definitions of internal review and internal review
application.
Clause 94 provides that a person affected by a decision that is subject to
internal review may apply to have the decision reviewed by the agency or
Minister. Reviewable decisions are listed in the dictionary at schedule 5.
Internal review is not, however, a prerequisite for external review. The
reviewer decides the application as if the original decision had not been
made. The reviewer cannot be the person who made the original decision
and must not be less senior than that person.
Clause 95 provides that an internal review decision, a decision made by an
agency's principal officer or a decision made by a Minister cannot be
internally reviewed.
Clause 96 sets out how to make an application for internal review.
Clause 97 provides that an agency or Minister must decide an internal
review and notify the applicant of the decision as soon as possible.
However, if no notification is provided within 20 business days of the
application being made, the agency or Minister is taken to have made the
same decision as the original decision. As soon as practicable after a
decision is made or taken to be made, prescribed written notice of the
decision must be given to the applicant.
Part 9 External review
Division 1 Preliminary
Clause 98 provides definitions of external review and external review
application.
Clause 99 provides that a person affected by a decision that is reviewable
under the Bill may apply to have the decision reviewed by the Information
Commissioner. Reviewable decisions are listed in the dictionary at
schedule 5.
Page 25
Information Privacy Bill 2009
Clause 100 provides that the agency or Minister whose decision is under
review has the onus of establishing the decision was justified or that the
Information Commissioner should give a decision adverse to the applicant.
Division 2 Application
Clause 101 sets out how to make an application for external review.
Clause 102 provides that the participants in an external review are the
applicant, agency or Minister and, where the Information Commissioner
allows, a person affected by the decision the subject of the external review.
Division 3 After application made
Clause 103 provides that the Information Commissioner must attempt early
resolution of an external review application and promote its settlement,
unless the Commissioner decides not to deal with the application. The
Information Commissioner may suspend an external review at any time to
allow for negotiation for a settlement. Any settlement agreement replaces
the decision being externally reviewed.
Clause 104 provides for the Information Commissioner to inform the
agency or Minister of an external review application for a deemed decision
as soon as practicable after it is made.
Clause 105 provides for the Information Commissioner to inform the
agency or Minister of an external review application before starting the
review.
Clause 106 applies where a deemed decision is the subject of an external
review. Where an agency or Minister applies, the Information
Commissioner may allow the agency or Minister further time in which to
decide the application. This may be subject to conditions set by the
Information Commissioner. Where the agency or Minister does not make a
considered decision within the further time allowed, the agency or Minister
is taken to have made a decision affirming the deemed decision.
Clause 107 sets out the grounds upon which the Information
Commissioner may decide not to deal with, or not to further deal with, all
or part of an external review application. The Information Commissioner
Page 26
Information Privacy Bill 2009
must advise the applicant of its decision in writing (unless the applicant is
not contactable) and any other person informed by the Commissioner of the
external review.
Division 4 Conduct of external review
Clause 108 sets out the procedure on an external review, including, for
example that the Information Commissioner is not bound by the rules of
evidence. The Information Commissioner may give directions on
procedure.
Clause 109 requires any participant to a review to comply in a timely way
with a reasonable request for assistance made by the Information
Commissioner. This applies regardless of whether the participant has the
onus under clause 100.
Clause 110 provides, unless the Information Commissioner decides
otherwise, making oral submissions or the giving of oral evidence during
an external review must be conducted in public. The Information
Commissioner is obliged to ensure procedural fairness and an opportunity
for the applicant to present their views, although this need not be in person.
Where personal appearances are allowed, the Information Commissioner
may permit a participant to be represented by another person. The
provision also requires the Information Commissioner to notify persons of
the likely release of documents affecting them if they were not notified of
the review.
Division 4A Powers of Information Commissioner
on external review
Clause 111 provides the Information Commissioner with the power to
make preliminary inquiries of the applicant or agency or Minster with a
view to determining whether the Commissioner has the power to review a
matter or whether the Commissioner may decide not to review a matter.
Clause 112 provides the Information Commissioner with the power to
require any agency or Minister to provide further particulars or details of
the reasons for the decision.
Page 27
Information Privacy Bill 2009
Clause 113 provides the Information Commissioner is entitled to full and
free access to the documents of the agency or Minister.
Clause 114 allows the Information Commissioner to require an agency or
Minister to provide a written transcript of an audio file or a codified or
shorthand document. Where the review relates to information held by the
agency but not in written form, the Information Commissioner can require
an agency or Minister to create a written document using equipment
usually available for retrieving or collating that type of stored information.
Clause 115 provides the Information Commissioner, in reviewing a
decision to refuse access, with a power to require an agency or Minister to
conduct further searches for a document, including making inquiries to
locate the document.
Clause 116 provides the Information Commissioner with a power to, by
notice, require a person to produce relevant information they may have in
writing or to attend in person to answer questions about the information.
The Commissioner can also require a person to produce documents. The
clause requires the Information Commissioner to ensure that the document
is not disclosed to persons other than the Commissioner's staff, document's
creator or their representative and to return the document at the conclusion
of the review.
Clause 117 empowers the Information Commissioner to administer an oath
or affirmation.
Clause 118 empowers the Information Commissioner to review any
decision by an agency or Minister in relation to an access application and
decide any matter in relation to an access application that could have been
made by the agency or Minister under the Bill. The Commissioner does
not, however, have power to grant access to an exempt or contrary to public
interest document.
Clause 119 provides that confidentiality provisions of an Act or rule of law
do not apply to the provision of information to the Information
Commissioner for the purposes of an external review. Participants in an
external review have the same privileges as they would have in a court
proceeding. However, legal professional privilege is not applicable to the
production of document or the giving of evidence by a member of an
agency or Minister for the purposes of a review.
Clause 120 provides that the Information Commissioner must do all things
necessary to ensure proper disclosure and return of documents.
Page 28
Information Privacy Bill 2009
Clause 121 empowers the Information Commissioner to issue any
directions necessary to avoid disclosure of documents to an access
participant or their representative that are claimed to be exempt or contrary
to public interest documents or that the Information Commissioner
considers may be protected by legal professional privilege. If necessary
this may include hearing evidence or argument in the absence of an access
participant or their representative. The Information Commissioner's
decision or reasons for decision must not contain information claimed to be
exempt or contrary to public interest information. The clause defines
access participant.
Clause 122 provides that where an applicant challenges a notice neither
confirming nor denying the existence of a document that would, if it
existed, contain prescribed information, and the Information Commissioner
is satisfied it does not contain prescribed information, then the decision and
reasons may contain reference to the information.
Division 5 Decision on external review
Clause 123 provides that the Information Commissioner must make a
written decision following an external review, which must include reasons
for the decision. Copies are provided to the participants and the decision
must be published. Publication is not required to the extent that the
decision or reasons for decision includes exempt information or
information the disclosure of which would be contrary to the public
interest.
Clause 124 allows the Information Commissioner to correct mistakes in
decisions.
Division 6 Miscellaneous
Clause 125 provides that costs incurred by a participant in external review
are payable by the participant.
Clause 126 allows for the Information Commissioner to bring evidence
that an agency's officer has committed a breach of duty or misconduct in
the administration of the Bill to the attention of the principal officer of the
agency, or where the evidence relates to the principal officer or a person
Page 29
Information Privacy Bill 2009
subject to the direction of the Minister, to the attention of the responsible
Minister. Responsible Minister is defined in the clause.
Part 10 Vexatious applicants
Clause 127 empowers the Information Commissioner to declare a person a
vexatious applicant, but only if the Commissioner is satisfied that:
· the person has repeatedly engaged in access applications and the
repeated applications involve an abuse of process; or
· a particular access action involves or would involve an abuse of
process; or
· a particular access action would be manifestly unreasonable.
The person must be given the opportunity to make oral or written
submissions before the Information Commissioner makes any declaration.
The declaration may contain terms and conditions including requiring the
Information Commissioner's written permission before the person can
make an access application or application for internal or external review.
The clause defines relevant terms.
Clause 128 provides for the variation or revocation of a vexatious applicant
declaration.
Part 11 References of questions of law
and appeals
Clause 129 defines judicial member and appeal tribunal.
Clause 130 preserves the jurisdiction of the Supreme Court to determine
questions of law referred by the Information Commissioner either on the
Commissioner's own initiative or at the request of a participant until the
commencement of clause 131 which will vest the jurisdiction in the
Queensland Civil and Administrative Tribunal (QCAT).
Page 30
Information Privacy Bill 2009
Clause 131 provides the Information Commissioner can, in an external
review, refer a question of law to QCAT either on the Commissioner's own
initiative or at the request of a participant. QCAT is constituted by one
judicial member and must exercise its original jurisdiction under the
Queensland Civil and Administrative Tribunal Act 2009 (QCAT Act) to
hear and decide the question of law and the decision is binding on the
Information Commissioner.
The Information Commissioner must not make the decision on external
review whilst the reference of the question of law to QCAT is pending.
Clause 132 provides that a participant can appeal the Information
Commissioner's decision on an external review to QCAT but only on a
question of law. Unless QCAT orders otherwise, the notice of appeal must
be filed within 20 business days of the decision the subject of the appeal
and be served on all other participants as soon as possible. Appeals are by
way of rehearing.
Clause 133 allows a person to appeal a declaration that the person is a
vexatious applicant to QCAT.
Chapter 4 Information Commissioner
and Privacy Commissioner
Part 1 Functions of Information
Commissioner under this Act
Clause 134 provides that the Information Commissioner is not subject to
direction.
Clause 135 sets out the performance monitoring and support functions of
the Information Commissioner under this Bill.
Clause 136 sets out the decision making functions of the Information
Commissioner under this Bill.
Page 31
Information Privacy Bill 2009
Clause 137 sets out the external review functions of the Information
Commissioner under this Bill.
Clause 138 declares that guidelines issued under the Right to Information
Bill may include guidelines relating to the Information Commissioner's
functions under this Bill.
Part 2 Staff of Office of Information
Commissioner in relation to this
Act
Clause 139 states that the Information Commissioner may delegate to a
member of the staff of the Office of the Information Commissioner all or
any of the Information Commissioner's powers under the Bill.
Clause 140 provides that the staff of the Information Commissioner are not
subject to direction by any person other than the Information
Commissioner in relation to the performance of the Information
Commissioner's functions under the Bill.
Part 3 Privacy Commissioner
Clause 141 provides that there is to be a Privacy Commissioner who is a
member of the staff of the Information Commissioner.
Clause 142 provides that the principal role of the Privacy Commissioner is
that of deputy to the Information Commissioner, with particular
responsibility for matters relating to the Information Commissioner's
functions under the Bill.
Clause 143 states that the Privacy Commissioner is subject to the direction
of the Information Commissioner.
Clause 144 provides that the Privacy Commissioner is appointed by the
Governor in Council under the Bill and not the Public Service Act 2008.
Page 32
Information Privacy Bill 2009
Clause 145 sets out the procedure to be followed for appointment of the
Privacy Commissioner including advertising nationally for applications
and consulting with the parliamentary committee regarding the process for
appointment and appointment of a person as Privacy Commissioner.
Clause 146 sets out the term of appointment for the Privacy Commissioner.
Clause 147 provides that the remuneration and allowances for the Privacy
Commissioner are decided by the Governor in Council and, other than as
provided for in this Bill, on the terms and conditions decided by the
Governor in Council.
Clause 148 provides that the Minister may grant a leave of absence to the
Privacy Commissioner.
Clause 149 provides for the preservation of a public service officer's
existing and accruing employee entitlements if appointed to the office of
Privacy Commissioner.
Clause 150 provides for restrictions on outside employment for the Privacy
Commissioner unless the Minister provides prior approval.
Clause 151 provides that the Privacy Commissioner may resign by signed
notice given to the Minister. The Minister must give the notice to the
Governor for information and a copy of the notice to the Speaker and the
chairperson of the parliamentary committee. Failure to give the notice will
not invalidate the resignation.
Clause 152 provides that the Governor in Council may appoint a person to
act as Privacy Commissioner during a vacancy in the office or when the
Privacy Commissioner is absent from duty or from Australia or unable to
perform the duties of the office.
Part 4 Proceedings
Clause 153 provides that the Information Commissioner can not be
compelled to produce a privacy document or disclose privacy information
in third party legal proceedings.
Clause 154 provides that the State is to pay the reasonable costs of a party
to a proceeding started by the State arising out of the performance of the
functions of the Information Commissioner under the Bill.
Page 33
Information Privacy Bill 2009
Clause 155 provides that the Information Commissioner or Privacy
Commissioner is entitled to appear and be heard in a proceeding arising out
of the performance of the functions of the Information Commissioner
under the Bill.
Clause 156 provides that the Attorney-General may intervene on behalf of
the State in a proceeding arising out of the functions of the Information
Commissioner under the Bill.
Part 5 Waiving or modifying privacy
principles obligations in the
public interest
Clause 157 provides that an agency (a Minister, department, local
government or public authority) may apply to the Information
Commissioner for approval to waive or modify its obligations to comply
with the privacy principles. Approval may only be given under this clause
if the Information Commissioner is satisfied that the public interest in the
agency's compliance with the privacy principles is outweighed by the
public interest in waiving or modifying the agency's obligation to comply
with the privacy principles.
The Information Commissioner's approval must be notified by gazette
notice and sections 49 to 51 of the Statutory Instruments Act 1992 applies
to the notice as if it were subordinate legislation. This recognises the
important role of parliamentary scrutiny by providing that the notice is tabled
in the Parliament and subject to the possibility of disallowance under section
50 of the Statutory Instruments Act 1992. The Information Commissioner
and the relevant agency must also ensure that a copy of the gazette notice is
published on the Commissioner's and agency's website.
Part 6 Compliance notices
Clause 158 provides that the Information Commissioner may give an
agency (a Minister, department, local government or public authority), a
Page 34
Information Privacy Bill 2009
compliance notice if satisfied on reasonable grounds that the agency has
done an act or engaged in a practice that is a serious or flagrant
contravention of its obligations to comply with the privacy principles or the
act or practice has been done or engaged in on at least five separate
occasions within the last two years. The compliance notice may require an
agency to take a stated action within a stated period of time to ensure
compliance with its obligations.
Clause 159 provides that an agency may ask the Information
Commissioner for an extension of time in order to take the action stated in
the compliance notice. The Information Commissioner may extend the
time for compliance if satisfied that it is not reasonably practicable for the
agency to take the action stated within the required time and the agency
gives an undertaking to take the stated action within the extended period.
Clause 160 provides that an agency must take all reasonable steps to
comply with a compliance notice. The maximum penalty is 100 penalty
units for an agency failing to comply with a compliance notice.
Clause 161 provides that an agency may apply to QCAT for a review of the
decision to give it the compliance notice.
Clause 162 provides that the parties to the application to QCAT to review
the decision to give the compliance notice and any review are the agency
and the Information Commissioner. QCAT may also join another party to a
proceeding subject to the QCAT Act.
Clause 163 provides that, upon review, QCAT may make any of the
following orders: an order confirming the Information Commissioner's
decision to give the compliance notice to the agency; an order confirming
the decision to give the notice but substituting different terms; an order
reversing the decision to give the notice; or an order revoking the giving of
the notice and giving the Information Commissioner directions about the
issuing of a replacement notice.
Page 35
Information Privacy Bill 2009
Chapter 5 Privacy complaints
Part 1 Making privacy complaints
Clause 164 provides that a privacy complaint is a complaint by an
individual about an act or practice of a relevant entity, that is a breach of its
obligation under the Bill to comply with the privacy principles, or other
requirements in accordance with the Bill. A relevant entity is a Minister,
department, local government, public authority or a bound contracted
service provider. Clause 209 further provides that a complaint may be
made only about a breach which happened after commencement.
Clause 165 provides that an individual whose personal information is, or at
any time has been, held by a relevant entity may make a privacy complaint
to the Information Commissioner. A privacy complaint may also be
referred to the Information Commissioner by other specified complaint
entities such as the Ombudsman or the Health Quality and Complaints
Commission. The Information Commissioner must advise the relevant
entity the subject of the complaint as soon as practicable after receiving a
privacy complaint.
Clause 166 sets out the requirements for a privacy complaint made or
referred to the Information Commissioner. The Information Commissioner
must give reasonable help to an individual making a privacy complaint to
put the complaint in written form. An individual must make a complaint
pursuant to the relevant complaints management system of a relevant entity
before making a privacy complaint to the Information Commissioner.
Part 2 Dealing with privacy complaints
Clause 167 provides that the Information Commissioner may make
preliminary inquiries to decide whether the Commissioner is authorised to
deal with a privacy complaint.
Clause 168 sets out when the Information Commissioner may decline to
deal, or continue to deal, with a privacy complaint.
Page 36
Information Privacy Bill 2009
Clause 169 provides that in certain circumstances the Information
Commissioner may refer a privacy complaint to other specified complaint
entities such as the Ombudsman, or the Health Quality and Complaints
Commission.
Clause 170 makes specific provision for the Information Commissioner to
enter into an arrangement with the Ombudsman in relation to dealing with
privacy complaints under the Bill and administrative actions under the
Ombudsman Act 2001.
Part 3 Mediation of privacy complaints
Clause 171 provides that the Information Commissioner must consider
whether the privacy complaint could be resolved through mediation and, if
applicable, to attempt to resolve the complaint through mediation.
Clause 172 provides that if mediation of a privacy complaint is successful
the complainant and the respondent may ask the Information
Commissioner to prepare a written record of the agreement. The
agreement is to be signed by the complainant and the respondent and
certified by the Information Commissioner.
Clause 173 provides that the complainant or respondent may file the
certified agreement with the QCAT. The complainant and the respondent
may withdraw from the certified agreement within five business days after
filing the agreement with QCAT. If the parties do not withdraw, QCAT
may make orders to give effect to the certified agreement. An order made
by QCAT under this clause may be enforced as an order of QCAT under the
QCAT Act.
Part 4 Referral of privacy complaints to
QCAT
Clause 174 provides that part 4 applies where the Information
Commissioner does not consider that resolution of the privacy complaint
Page 37
Information Privacy Bill 2009
could be achieved through mediation, or mediation is attempted but is
unsuccessful.
Clause 175 provides that the Information Commissioner must give written
notice to both the complainant and the respondent for the privacy
complaint advising that this part applies and that the Commissioner will, if
asked by the complainant, refer the privacy complaint to QCAT for hearing.
Clause 176 provides that the Information Commissioner must refer the
privacy complaint to QCAT if asked to do so by the complainant and that
QCAT has jurisdiction to hear the complaint pursuant to its original
jurisdiction.
Clause 177 provides that the complainant (the applicant for the purposes of
the QCAT proceeding) and respondent for a privacy complaint are both
parties to a QCAT proceeding. QCAT may also join another party to a
proceeding subject to the QCAT Act.
Clause 178 sets out the orders that may be made by QCAT after the hearing
of a privacy complaint.
Chapter 6 Protection and offences
Part 1 Protection
Clause 179 provides the State, an agency, Minister or officer with
protection from actions for defamation or breach of confidence where
access is required or permitted, or given by the decision maker in the
genuine belief access is required or permitted, under the Bill. Protection is
also given to a document's author or any other person because they
supplied the document to an agency or Minister. Granting of access to a
document following an application is not, for the purposes of laws relating
to defamation or breach of confidence, authorisation or approval of
publication of the document or its content by the person granted access.
Page 38
Information Privacy Bill 2009
Clause 180 provides for further protection from actions for defamation or
breach of confidence if a chapter 3 document has been published and the
publication was required under clause 123.
Clause 181 ensures that a decision maker or other person concerned with
the giving of access under this Bill does not commit a criminal offence
simply through giving, or authorising, access.
Clause 182 ensures that, if a publication was required in relation to an
external review decision under clause 123 or authorised by the Information
Commissioner in the genuine belief that publication was required under
clause 123, the person authorising publication and anyone involved in the
publication does not commit a criminal offence simply by authorising or
being involved in the publication of the document.
Clause 183 provides an agency, principal officer, any staff acting under the
direction of an agency or principal officer, a decision maker, the
Information Commissioner or the Information Commissioner's staff with
protection from civil liability for acts or omissions under the Bill, as long
as they were done honestly and without negligence.
Part 2 Offences
Clause 184 provides that it is an offence to give a person a direction to
make a decision or deal with an application contrary to the requirements of
the Bill. This offence provision does not apply to a direction given to a
member of staff by the Information Commissioner or a person authorised
by the Information Commissioner under clause 140. The maximum
penalty for this offence is 100 penalty units.
Clause 185 provides that it is an offence for a person to knowingly deceive
or mislead a person exercising powers under the Bill in order to gain access
to a document containing another person's personal information. The
maximum penalty for this offence is 100 penalty units.
Clause 186 provides that it is an offence for a person to knowingly give
false or misleading information to the Information Commissioner or the
Information Commissioner's staff. The maximum penalty for this offence
is 100 penalty units.
Page 39
Information Privacy Bill 2009
Clause 187 provides that it is an offence for a person given notice under
clause 116 or 197 to fail to give information, produce a document or attend
before the Information Commissioner without reasonable excuse. Clause
116 gives the Information Commissioner powers to obtain information and
documents and to compel attendance before the Commissioner in relation
to external review. Clause 197 gives the Information Commissioner
powers to obtain information and to compel attendance before the
Commissioner in relation to compliance notices and privacy complaints.
The maximum penalty for this offence is 100 penalty units.
Clause 188 provides that it is an offence for a person who is or has been the
Information Commissioner or a member of the Information
Commissioner's staff to disclose any information (other than for the
purposes of the Bill) or take advantage of that information for personal
benefit or for the benefit of another person. The maximum penalty for this
offence is 100 penalty units.
Chapter 7 Miscellaneous provisions
Part 1 Relationship of this Act to other
Acts
Clause 189 provides that the Bill does not affect the provisions of the
Public Records Act 2002 with respect to giving access to documents by the
Queensland State Archives. This clause also provides that the Public
Records Act 2002 does not prevent a person obtaining access to a document
from the Queensland State Archives under the Bill.
Clause 190 provides that a document placed by a person in the custody of
the Queensland State Archives or a public library is available for access by
members of the community subject to any restrictions or conditions
imposed by the person at the time. This provision applies unless when the
document was placed in the archives or the library the document was a
document of an agency or a document of a Minister.
Page 40
Information Privacy Bill 2009
Clause 191 provides that a document is taken to be in an agency's
possession, or in the possession of an agency whose functions are most
closely related to an agency that no longer exists, if the document has been
placed in the custody of the Queensland State Archives and is not
reasonably available for inspection under the Public Records Act 2002 or if
the document has been placed in a place of deposit under the Libraries Act
1988 or the Public Records Act 2002. This clause does not apply to a
Minister or a local government.
Part 2 Operation of this Act
Clause 192 requires the Minister to arrange for a review of the operation of
the Bill to start no later than two years after commencement of this clause.
As soon as practicable after completion, a report on the review must be
tabled with the Legislative Assembly.
Clause 193 provides for reporting obligations of the Information
Commissioner, including the requirement to submit a report to the Speaker
and the parliamentary committee about the information commissioner's
operations as soon as practicable after the end of each financial year. The
dictionary in schedule 5 of the Bill defines the parliamentary committee as
the Law, Justice and Safety Committee of the Legislative Assembly.
Clause 194 provides that the Minister administering the Act is to prepare a
report and table it in the Legislative Assembly after the end of each
financial year. The requirements for the report may be prescribed under
regulation. The report may be included as part of an annual report prepared
pursuant to the Right to Information Act.
Clause 195 sets out the functions of the parliamentary committee for
purposes of the Bill.
Page 41
Information Privacy Bill 2009
Part 3 Other
Clause 196 clarifies that a person's agent is able to act for the person under
the terms of the authorisation as an agent and a child's parent is able to act
for a child.
Clause 197 provides the Information Commissioner with powers to obtain
information and to compel attendance and administer oaths or affirmations
in relation to compliance notices and privacy complaints.
Clause 198 provides that anything done under the Bill involving QCAT
must be done in accordance with QCAT rules and procedures.
Clause 199 makes general provision for the requirements for the contents
of a prescribed written notice of a decision. If prescribed written notice of
a decision must be given, the notice must state the decision, the reasons for
the decision, the name and designation of the person making the decision,
as well as details of any rights of review including procedures to be
followed and any relevant timeframes.
Clause 200 provides that the chief executive may approve forms for use
under the Bill.
Clause 201 provides that the Governor in Council may make regulations
under the Bill.
Chapter 8 Transitional provisions
Clause 202 defers the application of the Bill--apart from chapter 3
(Disclosure and amendment by application under this Act) and other
provisions of the Act that apply for the purposes of chapter 3--to local
government until one year after the commencement of this clause. This will
allow local governments a transitional period to put in place suitable
arrangements for appropriate collection and handling of personal
information before being formally required to comply with the privacy
principles.
Page 42
Information Privacy Bill 2009
Clause 203 provides that, where context permits, a reference to the
Freedom of Information Act 1992 in an Act or document is a reference to
this Bill.
Clause 204 preserves the validity of the appointment of a Privacy
Commissioner where any part of the recruitment process was undertaken
prior to commencement of the Bill.
Clause 205 provides that for sections 62 and 63, a first application includes
an application under the repealed Freedom of Information Act 1992.
Clause 62 of the Bill deals with refusal to deal with an application on the
ground that the same document or documents was sought by the applicant
under an earlier application.
Clause 206 provides that, if a certified agreement is made before QCAT
comes into existence and the complainant or respondent wishes to file a
copy of the agreement with QCAT, the agreement must be filed within 20
business days of QCAT coming into existence.
Clause 207 reflects the Government's intention that the ability to lodge
privacy complaints will commence concurrently with the operations of
QCAT.
Clause 208 provides that, if the Information Commissioner is required to
refer a privacy complaint to QCAT before QCAT comes into existence, the
Commissioner must do so within 20 business days of QCAT coming into
existence.
Clause 209 clarifies that an individual may make a privacy complaint only
about an entity's actions done after chapter 5 commences.
Clause 210 provides for the continuing application of relevant information
standards to certain existing contracts and other arrangements.
Clause 211 states that the privacy principles do not apply to actions and
practices necessary for the performance of a contract entered into before
the commencement of this provision.
Schedule 1 Documents to which the privacy
principles do not apply
Schedule 1 sets out the documents to which the privacy principles do not
apply including in relation to covert activity, witness protection,
Page 43
Information Privacy Bill 2009
disciplinary actions and misconduct, whistleblowers, Cabinet and
Executive Council and commissions of inquiry.
Schedule 2 Entities to which the privacy
principles do not apply
Schedule 2 sets out the entities to which the privacy principles do not apply
and the entities to which the privacy principles do not apply in relation to a
particular function, consistent with the framework of the Right to
Information Bill.
Part 1 lists the entities to which the privacy principles do not apply,
including the Legislative Assembly (including Members of Parliament and
Parliamentary Committees), commissions of inquiry, parents and citizens
associations, grammar schools and government owned corporations and
their subsidiaries. Exclusions for commissions of inquiry and parents and
citizens association maintain current exclusions under IS42, while other
exclusions are required due to the change in scope of application brought
about by the application of the Bill to public authorities as defined in clause
21 of the Bill. The Legislative Assembly is excluded to ensure that the Bill
does not infringe on the privileges of Parliament, and government owned
corporations are excluded to ensure no inconsistency arises with the
Privacy Act 1988 (Cth) given government owned corporations are subject
to that Act.
Part 2 lists the entities to which privacy principles in relation to a particular
function, including courts, tribunals and other entities and associated office
holders and registries in relation to judicial, or quasi-judicial functions.
These exclusions maintain current exclusions under IS42.
Schedule 3 Information Privacy Principles
Schedule 3 is referred to in clause 26 of the Bill. Schedule 3 sets out the
Information Privacy Principles (IPPs) with which an agency (a Minister,
Parliamentary Secretary, local government, public authority and
department, except for the Department of Health) must comply under
clause 27. The IPPs are adapted from the Privacy Act 1988 (Cth) and
codify, with some amendments, the IPPs set out under IS42.
Page 44
Information Privacy Bill 2009
The IPPs give effect to the Bill's object of fair collection and handling of
personal information by providing the framework under which agencies
must operate in collecting, storing, managing, transferring, using and
disclosing personal information. The IPPs provide for limited `exceptions'
to facilitate the business of government within the reasonable expectations
of the community.
IPP 1 provides that an agency must not collect personal information in a
manner that is unlawful or unfair. This requirement applies whether or not
the information was requested from the individual concerned or another
party. Collection of personal information for inclusion in a document or
generally available publication must be for a lawful purpose directly
related to the agency's functions and be necessary for, or directly related to,
that purpose.
IPP 2 applies when an agency asks an individual directly to provide their
own personal information for inclusion in a document or a generally
available publication. If an agency asks an individual for their personal
information, it must (at the time of collection, or as soon as reasonably
practicable after the collection) take reasonable steps to advise the
individual why it is collecting the information, any applicable legal
authority to collect the information and to whom it may provide the
information. IPP 2(5) recognises that there are emergency situations where
notifying an individual (e.g. during delivery of emergency treatment) would
have limited practical benefit and would not be within the reasonable
expectation of the individual concerned.
IPP 3 applies when an agency requests personal information for inclusion
in a document or a generally available publication from the individual
concerned or another party. The agency must take reasonable steps to
ensure that the information is relevant to the agency's reason for collecting
it and it is up-to-date and complete. IPP3(3)(b) also requires that an agency
must not intrude unreasonably on the personal affairs of the individual
concerned, in terms of both the extent of the collection and the manner of
collection.
IPP 4 obliges an agency with control of a document containing personal
information to protect the document against loss, unauthorised access, use,
modification, disclosure or any other misuse. This includes taking
reasonable steps, such as security safeguards appropriate to the
circumstances, to prevent unauthorised use or disclosure where a document
containing personal information is provided to another person in
connection with the provision of a service to the agency.
Page 45
Information Privacy Bill 2009
IPP 5 reflects that, in order to be able to exercise rights in relation to the
personal information that an agency holds about them, an individual must
be able to find out the existence, purpose and method of access of
documents containing their personal information. IPP 5(2) does not
require agencies to make details about personal information holdings
known where the agency is authorised or required by law to refuse access
to such details.
IPP 6 sets out the right of individuals to access their personal information
held by an agency. Chapter 3 of the Bill provides one formal mechanism
through which individuals may exercise this right, however an agency may
also provide access to personal information through other legislative or
administrative access mechanisms. Any administrative processes must, in
the absence of lawful authority, take account of the privacy principles when
determining whether to give a person access.
IPP 7 sets out the right of individuals to amend their personal information
held by an agency where such information is believed to be inaccurate,
incomplete, out-of-date or misleading. Chapter 3 of the Bill provides a
formal mechanism through which individuals may exercise this right.
IPPs 6 and 7 do not override existing legislative provisions governing an
individual's ability to access or amend their own personal information,
including those in chapter 3 of the Bill. A refusal to provide access to or
amend personal information under such provisions would not be taken to
be a breach of the IPPs.
IPP 8 requires that an agency must take reasonable steps to ensure that
personal information is accurate, up-to-date and complete, before using it.
IPP 9 requires that an agency must only use personal information for a
purpose to which it is directly relevant.
IPP 10 places limitations on the use of personal information by an agency.
Generally, personal information should only be used for the purpose for
which it was collected unless the use:
· is one to which the individual has expressly or impliedly agreed (IPP
10(1)(a));
· will mitigate a serious threat to an individual's or the public's life,
health, safety or welfare (IPP 10(1)(b));
· is authorised or required by law (IPP 10(1)(c));
Page 46
Information Privacy Bill 2009
· is necessary for a purpose of a law enforcement agency (and proper
notation of the use is made) (IPP 10(1)(d) and 10(2));
· is for a purpose directly related to the original purpose (IPP 10(1)(e)),
such as to plan improvements to the government service for which the
information was originally collected; or
· fulfils the stated requirements relating to research or analysis
undertaken in the public interest (IPP 10(1)(f)).
IPP 11 places limitations on the disclosure of personal information by an
agency. Generally, the information should not be disclosed except directly
to the individual concerned unless the disclosure:
· is one which the individual is or is reasonably likely to have been
made aware of, usually through a collection notice in accordance with
IPP 2 (IPP 11(1)(a));
· is one to which the individual has expressly or impliedly agreed (IPP
11(1)(b));
· will mitigate a serious threat to an individual's or the public's life,
health, safety or welfare (IPP 11(1)(c));
· is authorised or required by law (IPP 11(1)(d));
· is necessary for a purpose of a law enforcement agency (and proper
notation of the disclosure is made) (IPP 11(1)(e) and 11(2)); or
· fulfils the stated requirements relating to research or analysis
undertaken in the public interest (IPP 11(1)(f)).
IPP 11(3) requires an agency disclosing personal information under IPP
11(1) to take all reasonable steps to ensure the receiving entity will only
use or disclose that information for the specific purpose for which it was
disclosed. IPP 11(4) sets out the prerequisites that must be met before an
agency may disclose information which may be used for marketing
purposes.
Schedule 4 National Privacy Principles
Schedule 4 is referred to in clause 30 of the Bill. Schedule 4 sets out the
National Privacy Principles (NPPs) with which the Department of Health
must comply under clause 31. The NPPs are adapted from the Privacy Act
Page 47
Information Privacy Bill 2009
1988 (Cth) and codify, with some amendments, the NPPs set out under the
current administrative privacy regime, Information Standard 42A:
Information Privacy for the Queensland Department of Health. The NPPs
are specific to the Department of Health in order to provide ongoing
continuity of practice and consistency with private sector health providers
bound by the Commonwealth NPPs.
The NPPs give effect to the Bill's object of fair collection and handling of
personal information by providing the framework under which the
Department of Health must operate in collecting, storing, managing,
transferring, using and disclosing personal information. The NPPs provide
for limited `exceptions' to facilitate the business of government within the
reasonable expectations of the community, and provide for particular
requirements in relation to two subsets of personal information: "sensitive
information" and "health information", as defined in the dictionary in
schedule 5 of the Bill.
NPP 1 governs the manner and extent of collection of personal information
by the department and requires that the collection of personal information
must be necessary for the functions and activities of the department as well
as fair, lawful and not unreasonably intrusive to the individual.
When personal information is collected, reasonable steps must be taken to
ensure the individual is properly notified about relevant elements of that
collection, except where the information is collected from a third party for
the purposes of social, medical or family medical history taking,
notification would pose a threat to an individual, or where the information
is required under a statutory collection. Where reasonable and practicable,
personal information should only be collected from the individual directly.
NPP 2 sets out the general rule that personal information may only be used
or disclosed for the primary purpose of collection. There are limited
exceptions to this rule, which allow for use or disclosure for a secondary
purpose, where the purpose:
· is related to the primary purpose of collection (directly related, in the
case of sensitive information) and the individual concerned would
reasonably expect such a use or disclosure to occur (NPP 2(1)(a));
· is one to which the individual has consented (NPP 2(1)(b));
· fulfils the stated requirements for a research or analysis purpose
relevant to public health or safety (NPP 2(1)(c));
Page 48
Information Privacy Bill 2009
· will mitigate a serious threat to an individual's or the public's life,
health, safety or welfare (NPP 2(1)(d));
· is required to investigate or report unlawful activity (2(1)(e));
· is required or authorised under law (NPP 2(1)(f)); or
· is necessary for a purpose of a law enforcement agency (and proper
notation of the use or disclosure is made) NPP (2(1)(g) and 2(2)).
However, NPP 2(3) authorises disclosure of an individual's personal
information to a person responsible for the individual, where all stated
requirements are satisfied. This provision relates to individual incapacity or
inability to consent and what may reasonably be done to communicate
personal information to appropriate individuals in such cases. NPP 2(5) sets
out the prerequisites that must be met before non-sensitive personal
information may be used for marketing purposes.
NPP 3 requires that reasonable steps be taken to ensure that personal
information collected, used or disclosed is subject to quality control, that is,
as far as possible, the information must be accurate, complete and
up-to-date.
NPP 4 obliges the department to take reasonable steps, such as security
safeguards appropriate to the circumstances, to protect the document
against loss, unauthorised access, use, modification, disclosure or any other
misuse. NPP 4(2) requires the de-identification of personal information if
it is no longer needed for any of the uses or disclosures permissible under
NPP 2. Despite this, NPP 4(2) does not override existing requirements for
records retention and disposal within the Public Records Act 2002.
NPP 5 requires that a document containing clear policies about the
management of personal information is made available upon request. If
requested, general details about the types of personal information held by
the department should be made available, including details about the
purpose(s) to which the information is put and how such information is
collected, stored, used and disclosed.
NPP 6 sets out the right of individuals to access their personal information
held by the department. Chapter 3 of the Bill provides one formal
mechanism through which individuals may exercise this right, however the
department may also provide access to personal information through other
legislative or administrative access mechanisms. Any administrative
processes must, in the absence of lawful authority, take account of the
privacy principles when determining whether to give a person access.
Page 49
Information Privacy Bill 2009
NPP 7 sets out the right of individuals to amend their personal information
held by the department where such information is believed to be inaccurate,
incomplete, out-of-date or misleading. Chapter 3 of the Bill provides one
formal mechanism through which individuals may exercise this right.
NPPs 6 and 7 do not override existing legislative provisions governing an
individual's ability to access or amend their own personal information,
including those in chapter 3. A refusal to provide access to or amend
personal information under such provisions would not be taken to be a
breach of the NPPs.
NPP 8 requires that, where lawful and practicable, individuals should have
the option of not identifying themselves when entering into transactions
with the department.
NPP 9 places additional restrictions on the collection of personal
information which is sensitive information, as defined in the dictionary in
schedule 5. NPP 9(1) requires that the department not collect sensitive
information, unless the collection:
· is one to which the individual has consented (NPP 9(1)(a));
· is required by law (NPP 9(1)(b));
· will prevent or lessen a serious threat to any individual's life, health,
safety or welfare, and the relevant individual is incapable of giving
consent or unable to communicate consent (NPP 9(1)(c)); or
· is necessary to establish, exercise or defend a legal or equitable claim
(NPP 9(1)(d)); or
· is a social, family or medical history, or other relevant information
about necessary for the provision of a health service to an individual
(NPP 9(1)(e).
NPP 9(2) allows collection of health information where it is necessary to
provide a health service and the individual would reasonably expect the
collection to occur for that purpose or the collection is required or
authorised by law.
NPP 9(3) allows collection of health information for public health or safety
research or statistical analysis or the management, funding or monitoring of
a health service under specified circumstances. Where health information is
collected for the purposes in NPP 9(3), the department is obliged, prior to
disclosing the information, to take reasonable steps to de-identify the
Page 50
Information Privacy Bill 2009
information so the individual cannot be identified upon disclosure or in the
future.
Schedule 5 Dictionary
Schedule 5 provides a dictionary to define key terms in the Bill.
© State of Queensland 2009
Page 51