Queensland Consolidated Acts

[Index] [Table] [Search] [Search this Act] [Notes] [Noteup] [Previous] [Next] [Download] [Help]

INFORMATION PRIVACY ACT 2009 - SCHEDULE 3

SCHEDULE 3 – Information privacy principles

1 IPP 1—Collection of personal information (lawful and fair)

(1) An agency must not collect personal information for inclusion in a document or generally available publication unless—
(a) the information is collected for a lawful purpose directly related to a function or activity of the agency; and
(b) the collection of the information is necessary to fulfil the purpose or is directly related to fulfilling the purpose.
(2) An agency must not collect personal information in a way that is unfair or unlawful.

2 IPP 2—Collection of personal information (requested from individual)

(1) This section applies to the collection by an agency of personal information for inclusion in a document or generally available publication.
(2) However, this section applies only if the agency asks the individual the subject of the personal information for either—
(a) the personal information; or
(b) information of a type that would include the personal information.
(3) The agency must take all reasonable steps to ensure that the individual is generally aware of—
(a) the purpose of the collection; and
(b) if the collection of the personal information is authorised or required under a law—
(i) the fact that the collection of the information is authorised or required under a law; and
(ii) the law authorising or requiring the collection; and
(c) if it is the agency’s usual practice to disclose personal information of the type collected to any entity (the
"first entity" )—the identity of the first entity; and
(d) if the agency is aware that it is the usual practice of the first entity to pass on information of the type collected to another entity (the
"second entity" )—the identity of the second entity.
(4) The agency must take the reasonable steps required under subsection (3)
(a) if practicable—before the personal information is collected; or
(b) otherwise—as soon as practicable after the personal information is collected.
(5) However, the agency is not required to act under subsection (3) if the personal information is collected in the context of the delivery of an emergency service.
Example—
personal information collected during a triple 0 emergency call or during the giving of treatment or assistance to a person in need of an emergency service

3 IPP 3—Collection of personal information (relevance etc.)

(1) This section applies to the collection by an agency of personal information for inclusion in a document or generally available publication.
(2) However, this section applies to personal information only if the agency asks for the personal information from any person.
(3) The agency must take all reasonable steps to ensure that—
(a) the personal information collected is—
(i) relevant to the purpose for which it is collected; and
(ii) complete and up to date; and
(b) the extent to which personal information is collected from the individual the subject of it, and the way personal information is collected, are not an unreasonable intrusion into the personal affairs of the individual.

4 IPP 4—Storage and security of personal information

(1) An agency having control of a document containing personal information must ensure that—
(a) the document is protected against—
(i) loss; and
(ii) unauthorised access, use, modification or disclosure; and
(iii) any other misuse; and
(b) if it is necessary for the document to be given to a person in connection with the provision of a service to the agency, the agency takes all reasonable steps to prevent unauthorised use or disclosure of the personal information by the person.
(2) Protection under subsection (1) must include the security safeguards adequate to provide the level of protection that can reasonably be expected to be provided.

5 IPP 5—Providing information about documents containing personal information

(1) An agency having control of documents containing personal information must take all reasonable steps to ensure that a person can find out—
(a) whether the agency has control of any documents containing personal information; and
(b) the type of personal information contained in the documents; and
(c) the main purposes for which personal information included in the documents is used; and
(d) what an individual should do to obtain access to a document containing personal information about the individual.
(2) An agency is not required to give a person information under subsection (1) if, under an access law, the agency is authorised or required to refuse to give that information to the person.

6 IPP 6—Access to documents containing personal information

(1) An agency having control of a document containing personal information must give an individual the subject of the personal information access to the document if the individual asks for access.
(2) An agency is not required to give an individual access to a document under subsection (1) if—
(a) the agency is authorised or required under an access law to refuse to give the access to the individual; or
(b) the document is expressly excluded from the operation of an access law.

7 IPP 7—Amendment of documents containing personal information

(1) An agency having control of a document containing personal information must take all reasonable steps, including by the making of an appropriate amendment, to ensure the personal information
(a) is accurate; and
(b) having regard to the purpose for which it was collected or is to be used and to any purpose directly related to fulfilling the purpose, is relevant, complete, up to date and not misleading.
(2) Subsection (1) applies subject to any limitation in a law of the State providing for the amendment of personal information held by the agency.
(3) Subsection (4) applies if—
(a) an agency considers it is not required to amend personal information included in a document under the agency’s control in a way asked for by the individual the subject of the personal information; and
(b) no decision or recommendation to the effect that the document should be amended wholly or partly in the way asked for has been made under a law mentioned in subsection (2) .
(4) The agency must, if the individual asks, take all reasonable steps to attach to the document any statement provided by the individual of the amendment asked for.

8 IPP 8—Checking of accuracy etc. of personal information before use by agency

Before an agency uses personal information contained in a document under its control, the agency must take all reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, complete and up to date.

9 IPP 9—Use of personal information only for relevant purpose

(1) This section applies if an agency having control of a document containing personal information proposes to use the information for a particular purpose.
(2) The agency must use only the parts of the personal information that are directly relevant to fulfilling the particular purpose.

10 IPP 10—Limits on use of personal information

(1) An agency having control of a document containing personal information that was obtained for a particular purpose must not use the information for another purpose unless—
(a) the individual the subject of the personal information has expressly or impliedly agreed to the use of the information for the other purpose; or
(b) the agency is satisfied on reasonable grounds that use of the information for the other purpose is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare; or
(c) use of the information for the other purpose is authorised or required under a law; or
(d) the agency is satisfied on reasonable grounds that use of the information for the other purpose is necessary for 1 or more of the following by or for a law enforcement agency
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal; or
(e) the other purpose is directly related to the purpose for which the information was obtained; or
Examples for paragraph (e)—
1 An agency collects personal information for staff administration purposes. A new system of staff administration is introduced into the agency, with much greater functionality. Under this paragraph, it would be appropriate to transfer the personal information into the new system.
2 An agency uses personal information, obtained for the purposes of operating core services, for the purposes of planning and delivering improvements to the core services.
(f) all of the following apply—
(i) the use is necessary for research, or the compilation or analysis of statistics, in the public interest;
(ii) the use does not involve the publication of all or any of the personal information in a form that identifies any particular individual the subject of the personal information;
(iii) it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use.
(2) If the agency uses the personal information under subsection (1) (d) , the agency must include with the document a note of the use.

11 IPP 11—Limits on disclosure

(1) An agency having control of a document containing an individual’s personal information must not disclose the personal information to an entity (the
"relevant entity" ), other than the individual the subject of the personal information, unless—
(a) the individual is reasonably likely to have been aware, or to have been made aware, under IPP 2 or under a policy or other arrangement in operation before the commencement of this schedule, that it is the agency’s usual practice to disclose that type of personal information to the relevant entity; or
(b) the individual has expressly or impliedly agreed to the disclosure; or
(c) the agency is satisfied on reasonable grounds that the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare; or
(d) the disclosure is authorised or required under a law; or
(e) the agency is satisfied on reasonable grounds that the disclosure of the information is necessary for 1 or more of the following by or for a law enforcement agency
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal; or
(ea) all of the following apply—
(i) ASIO has asked the agency to disclose the personal information;
(ii) an officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions;
(iii) the disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information; or
(f) all of the following apply—
(i) the disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;
(ii) the disclosure does not involve the publication of all or any of the personal information in a form that identifies the individual;
(iii) it is not practicable to obtain the express or implied agreement of the individual before the disclosure;
(iv) the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.
(2) If the agency discloses the personal information under subsection (1) (e) , the agency must include with the document a note of the disclosure.
(3) If the agency discloses personal information under subsection (1) , it must take all reasonable steps to ensure that the relevant entity will not use or disclose the information for a purpose other than the purpose for which the information was disclosed by the agency.
(4) The agency may disclose the personal information under subsection (1) if the information may be used for a commercial purpose involving the relevant entity’s marketing of anything to the individual only if, without limiting subsection (3) , the agency is satisfied on reasonable grounds that—
(a) it is impracticable for the relevant entity to seek the consent of the individual before the personal information is used for the purposes of the marketing; and
(b) the relevant entity will not charge the individual for giving effect to a request from the individual to the entity that the individual not receive any marketing communications; and
(c) the individual has not made a request mentioned in paragraph (b) ; and
(d) in each marketing communication with the individual, the relevant entity will draw to the individual’s attention, or prominently display a notice, that the individual may ask not to receive any further marketing communications; and
(e) each written marketing communication from the relevant entity to the individual, up to and including the communication that involves the use, will state the relevant entity’s business address and telephone number and, if the communication with the individual is made by fax, or other electronic means, a number or address at which the relevant entity can be directly contacted electronically.



AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback