Overview of the National Privacy Principles

The National Privacy Principles (NPPs) apply to health agencies¹ when collecting, accessing, using and disclosing personal information. The NPPs enable individuals to be aware of the purpose their personal information is held by health agencies, whilst the provision also provides an individual with the right to access and amend such information. The NPPs are set out in schedule 4 of the Information Privacy Act 2009 (Qld).

Collection

NPP 1 details the way that personal information should be collected by health agencies. Importantly, there must be a clear purpose for collecting the information, and the individual providing the information should be informed by an appropriate collection notice, detailing the intended use and/or disclosure of the personal information.

The purpose for collecting personal information will often have a basis in law, and legislation may regulate the collection process. It is the responsibility of individual health agencies to clearly advise the individual about the function and purpose the personal information is going to fulfill within that agency. Requesting personal information of no use to that health agency will be a breach of NPP 1.

For a more detailed analysis of NPP 1 see the Basic guide to NPP 1 – Collection.

Collection of sensitive information

Sensitive information includes certain health information about an individual and information about sensitive subjects such as an individual's political opinions, religion, sexual preferences or criminal record.

Health agencies must not collect sensitive information about an individual except in certain circumstances, such as where the individual has consented, the collection is required by law, the collection is necessary to prevent a serious threat to life, etc. The two exceptions to this rule are:

For a more detailed analysis of NPP 9 see the Basic guide to NPP 9 – Collection of Sensitive Information.

Use or disclosure

NPP 2 explains the limitations of use and disclosure of personal information, whether it be for a primary or secondary purpose. Although health agencies should only use or disclose personal information for the primary purpose for which it was collected, there are circumstances where secondary use or disclosure may be acceptable, such as:

• for research purposes where it is impracticable to seek consent from the individual
• for the prevention or lessening of a serious threat to the health and safety of either an individual or the public
• for investigation and/or reporting of suspected unlawful activity where it may be suspected that such activity is continuing to occur
• where personal information is required to accord the process of natural justice
• where an enforcement body may require the personal information for the preparation or conduct of court or tribunal proceedings
• information required by statutory provisions subject to use and disclosure of personal information; and
• marketing purposes, so long as there is a simple and easy procedure for removing an individual from the the health agency's commercial marketing list.

Consent is the simplest way of validly using or disclosing personal information for a purpose not stated at the time of collection and can be sought by either:

• asking an individual if they consent to their information being used or disclosed (opting in); or
• informing an individual that the health agency is going to use or disclose their personal information unless the individual tells them not to (opting out).

For a more detailed analysis of NPP 2 see the Basic guide to NPP 2 – Use or Disclosure.

Data quality and security

Health agencies must take reasonable steps to:

• ensure that the personal information they collect, use or disclose is accurate, complete and up to date; and
• protect the personal information they hold from misuse, loss and unauthorised access, modification or disclosure.

If the personal information is no longer needed for any purpose for which the information may be used or disclosed, health agencies must take reasonable steps to ensure that the individual the subject of the personal information can no longer and can not in future, be identified from the personal information (subject to health agencies' obligations under the Public Records Act 2023 (Qld)).

For a more detailed analysis of NPPs 3 and 4 see the Basic guide to NPPs 3 and 4 – Data Quality and Security.

Access, amendment and anonymity

Under NPP 5, health agencies must have personal information management policies available upon request. Individuals may also specifically request that a health agency provide information about what sort of personal information the agency holds about the individual and how it deals with that information.

NPPs 6 and 7 provide that where a health agency has control of a document containing personal information about an individual, it must:

• give the individual access to the document upon request, unless the health agency is authorised or required to refuse access or the document is expressly excluded by an operation of an access law; and
• take all reasonable steps (including amendment) to ensure that the personal information is accurate, relevant, complete, up to date and not misleading (subject to any legal limitation on amendment).

However, if the health agency lawfully decides not to amend the personal information then it must, if the individual asks, attach a statement of the requested amendment to the document.

Under NPP 8, health agencies must allow individuals the option of not identifying themselves when entering into transactions with the health agency, wherever this is lawful and practicable.

For a more detailed analysis of NPPs 5 to 8 see the Basic guide to NPPs 5 to 8 – Access, Amendment and Anonymity.