Checklist - Consent
View the document below or download it here Checklist - Consent June 2023
This self-assessment checklist has been designed to assist agencies and their staff in the assessment of whether consent is required for the use and disclosure of personal information that the agency has collected and holds in the exercise of its functions.
It is provided as general guidance and is not legal advice. Each agency should take reasonable steps to inform itself of its legal responsibilities under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act), in relation to the collection, use or disclosure of personal or health information.
Privacy laws in NSW generally require that an individual’s consent is needed for how an agency can use or disclose their personal information.
The five key elements of consent are:
- the individual gives consent voluntarily
- the individual is adequately informed before giving consent
- the consent is specific
- the consent is current
- the individual has the capacity to understand and communicate their consent.
“Personal information” is defined at s.4 of the PPIP Act as “information or an opinion…about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”.
“Health information” is defined at s.6 of the HRIP Act as “personal information that is information or an opinion about the physical or mental health or a disability of an individual; express wishes about the future provision of health services; a health service provided or to be provided; any other personal information collected to provide or in providing a health service”. The definition also includes information having to do with organ donation and genetic information.
|
|
Assessment questions |
Status |
Comments |
|
|---|---|---|---|---|
|
Collection |
||||
|
1 |
Is this information necessary for what I am doing? |
☐ YES ☐ NO |
If no, stop, do not collect. If yes, go to step 2. |
|
|
2 |
Am I collecting information directly from the person, unless it is unreasonable or impractical? |
☐ YES ☐ NO |
If no, stop, contact the person directly for the information required. If yes, go to step 3. |
|
|
3 |
Have you advised them:
Have you also told them that they can correct it? Have you also told them that if they do not provide it to you, you may not be able to provide them with the services they request? |
☐ YES ☐ NO |
If no, stop and call the person. If yes, go to step 4. |
|
|
4 |
Is the information relevant, accurate, up-to-date and not excessive? |
☐ YES ☐ NO |
If no, stop collection of the information. If yes, go to step 5 |
|
|
5 |
Does it unreasonably intrude into the personal affairs of the individual? |
☐ YES ☐ NO |
If yes, stop collection and re-assess why you need the information. If no, proceed to collection. |
|
|
The above processes are for collection. For use and disclosure please see below: |
||||
|
Part 1 – Is consent required |
||||
|
1 |
Am I intending to use or disclose personal or health information? |
☐ YES ☐ NO |
If no, no consent is required. If yes, proceed to step 2.
|
|
|
2 |
Am I using personal or health information for the primary purpose for which the personal information or health information was collected in the first place? |
☐ YES ☐ NO |
If yes, no consent is required. If no, proceed to step 2a. |
|
|
2a |
Am I disclosing personal or health information for the primary purpose for which the personal or health information was collected in the first place? |
☐ YES ☐ NO |
If yes, no consent is required. If no, proceed to step 3. |
|
|
3 |
Am I using personal or health information for a directly related purpose? |
☐ YES ☐ NO |
If yes, no consent is required. If no proceed to step 3a.
|
|
|
3a |
Am I using personal or health information for a related secondary purpose (which is within the person’s reasonable expectations, or to which you have no reason to believe they would object)? |
☐ YES ☐ NO |
If yes, no consent is required. If no proceed to step 3b. |
|
|
3b |
Am I disclosing personal or health information for a directly related purpose? |
☐ YES ☐ NO |
If yes, no consent is required. If no proceed to step 3c. |
|
|
3c |
Am I disclosing personal or health information for a related secondary purpose (which is within the person’s reasonable expectations, or to which you have no reason to believe they would object)? |
☐ YES ☐ NO |
If yes, no consent is required. If no proceed to step 4. |
|
|
4 |
Am I using or disclosing personal or health information that is authorised or required under another law? |
☐ YES ☐ NO
|
If yes, no consent is required. Then consent is required. Proceed to step 5 |
|
|
Part 2 – When is consent valid? For consent to be valid it must be voluntary, informed, specific, current and given by a person who has capacity to give it. |
||||
|
5 |
In order for consent to be voluntary: Was the person free to exercise genuine choice about whether to give or withhold consent? |
☐ YES ☐ NO |
If no, consent is required. If yes, proceed to step 6. |
|
|
6 |
Was consent given without coercion or threat? |
☐ YES ☐ NO |
If no, consent is required. If yes, proceed to step 7. |
|
|
7 |
Was sufficient time allowed to understand the request and, if appropriate, take advice? |
☐ YES ☐ NO |
If no, consent is required. If yes, proceed to step 8. |
|
|
8 |
Is the consent informed: Does the person have reasonable knowledge of all the relevant facts before they give or refuse consent? The relevant facts will include:
|
☐ YES ☐ NO |
If no, consent is required. If yes, proceed to step 9. |
|
|
9 |
Is the consent specific: Is the consent reasonably specific as opposed to general, blanket or bundled? The Privacy Commissioner has advised that reliance on “general, blanket or bundled” consent terms “can be problematic”; instead a form should separate out each request with “separate boxes” to tick to indicate consent Bundled consent refers to the practice of an organisation 'bundling' together multiple requests for an individual's consent to a wide range of collections, uses and disclosures of personal information, without giving the individual the opportunity to choose which collections, uses and disclosures they agree to and which they do not. An example of a bundled consent is seeking consent to 'all legitimate uses or disclosures'. |
☐ YES ☐ NO
|
If no, proceed to step 10. If yes, proceed to step 13. |
|
|
10 |
Is the consent current: Was the person advised of a specified period for reliance on their consent? |
☐ YES ☐ NO |
If no, consent is required. If yes, proceed to step 11. |
|
|
11 |
Was the person advised that they are entitled to revoke consent later on? |
☐ YES ☐ NO |
If no, consent is required. If yes, proceed to step 12 |
|
|
12 |
Is the consent given by a person with capacity? Is the person giving consent able to understand the general nature and effect of a particular proposed use or disclosure of their personal information and able to communicate their consent? |
☐ YES ☐ NO
|
If no, consent is required from their guardian. If yes, proceed to step 13. |
|
|
Part 3 – Should consent be written or verbal? Consent and refusal of consent can be indicated in writing, verbally, or through an individual’s conduct or action. Wherever practicable, consent should be sought in writing. |
||||
|
Part 4 – Is consent expressed |
||||
|
13 |
Has the consent been clearly and unmistakably communicated by the person?
|
☐ YES ☐ NO
|
If no, consent is required. If yes, you are now able to use and/or disclose their personal or health information. |
|
For more information
Contact the Information and Privacy Commission NSW:
freecall: 1800 472 679
email: ipcinfo@ipc.nsw.gov.au
website: www.ipc.nsw.gov.au
