Privacy Protocol 6 – use or disclosure of personal information for the purposes of law enforcement
Privacy principles prohibit disclosure of personal information outside the University (Information Privacy Principle 11). One exception to this general principle is where the use or disclosure is “reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty…”. When any staff member receives a request from officers of law enforcement the following protocol for liaison with the external agency must be used. General advice on the operation of this protocol may be obtained from the Privacy Contact Officer.
It is common for officers of law enforcement agencies to contact the Security Manager directly under established liaison arrangements with the University. Occasionally, officers of a law enforcement agency may direct enquiries to QUT Information via the general QUT telephone number, directly to staff in academic schools or other departments, or to library or computer lab helpdesks (especially after hours). Irrespective of where the enquiry is received, it should be referred to either the Security Manager or, if unavailable, it should be referred to Security’s Central Monitoring Station Operator (extension 85585). If the enquiry is made outside normal business hours, it should be referred to Security’s Central Monitoring Station Operator.
The responsibility of the Security Officer dealing with the request is to:
- establish the bona fides of the officer making the enquiry;
- discuss the nature of the enquiry with the law enforcement officers involved with a view to obtaining confirmation that the disclosure of personal information is reasonably necessary for the law enforcement purpose (where possible, the Security Officer should consider whether there are other means for the law enforcement officers to obtain the information, for instance, by relying on legal compulsion, such as use of subpoenas or warrants);
- extract information from relevant University records or information systems;
- keep a record of the enquiry in order to satisfy the requirements of Information Privacy Principle 11.2 (see below).
Scope of the request
Privacy guidelines issued by the Commonwealth Privacy Commissioner indicate that it is inappropriate to rely on the law enforcement/revenue protection exceptions to justify disclosure of large amounts of personal data for data-matching purposes. Consequently, it is expected that this protocol will apply only to limited requests for information concerning a named individual. Disclosure of large numbers or groupings of personal records should only occur with express legislative authority.
Records of the enquiry
Information Privacy Principle 11 specifies that, where the personal information has been used or disclosed for law enforcement or revenue protection purposes, the University must “include in the record containing that information a note of the disclosure”. With paper records, this is straightforward, and IPP 11 can be satisfied by adding a note or attachment to the document holding the information (the content of the note should be consistent with the requirements for the log which are described below).
It is assumed, however, that most of the personal information which is sought will be recorded in computerised systems rather than paper records. A separate log of these disclosures must therefore be kept, since it will generally be impracticable to keep a note with the electronic record and a computer audit trail recording who accessed particular computer records is insufficient to satisfy the IPP 11 requirements.
The log must contain sufficient detail of the enquiry to record:
- what type of personal information has been used and/or disclosed in accordance with this protocol;
- when the use or disclosure occurred, who did so (ie the name of the University officer who did so), to whom the information was disclosed and for what purpose.
The following information must be included in the log:
- Date of enquiry and date of use or disclosure;
- Name of organisation requesting the personal information;
- Name and contact details of person requesting the personal information;
- Nature of information requested;
- Source of the personal information requested;
- Purpose of and justification for disclosure.
Any records, such as faxes, emails, file notes, which were generated in dealing with the enquiry must be retained. The records and a log of the enquiry (summarising the above information) must be forwarded to Records Management Services on Gardens Point campus.
The information in the log (or in a note attached to paper records) may be made available for audits or FOI applications, but should not be available to staff who routinely access the records for normal administrative purposes only.