The Queensland Information Privacy Act 2009 (the Act) sets out rules about how and when we can collect, store, use and give out your personal information. This includes rules about who can view your personal information, and where and how it must be stored (e.g. not on overseas databases).
Key parts of the Act are:
- The Information Privacy Principles—which all areas of the Queensland Government, except Queensland Health, must follow.
- The National Privacy Principles—which Queensland Health must follow.
- The bound contracted service provider obligations.
- The overseas transfer obligations.
Your personal information is any information about an identifiable person (e.g. your name, address, phone number, email address, age, gender, workplace, or position title).
You can make a complaint if your privacy has been breached.
For a detailed list of the privacy rules we have to follow, see Chapter 2 of the Act. A basic overview of your rights is below.
Collecting personal information
When we collect your personal information, we must:
- only ask you for as much information as we need for our purposes
- do so by legal and fair means
- tell you why we want to collect your information, what we will use it for, and, if we give it to anyone else, who they are
- not intrude more than we need to into your private life.
Storing personal information
When storing your personal information, we must:
- keep it in a safe place and secure it from unauthorised access, use, modification, disclosure or other misuse
- make sure you can easily find out what personal information we have of yours, what it is being used for and how you can apply to see it
- in most cases, let you see it or correct it when you ask.
What we cannot do with your personal information
We must not:
- use your information without first checking it is correct and up to date
- use or give out more of your information than we need to
- use your information for anything other purpose than we collect it for (unless required by law)
- share your information with areas outside of the government area who collected it (unless required by law)
- send your information outside Australia (except in specific situations).
Exceptions—when the privacy rules don’t apply
Government request to change or not follow the privacy principles
The Act lets Queensland government agencies (including statutory authorities and local government), and contractors working for us, apply to the Information Commissioner for approval to not follow or to change the privacy principles for a particular project (if we think it is essential). The Information Commissioner will only approve a request to ignore or change the principles if doing so will bring greater benefit to the Queensland public.
We list all approved requests on the Office of the Information Commissioner Queensland website for the entire time that we do not follow the privacy principles or use the changed privacy principles.
Reporting to ministers
If we need to give your personal information to a Queensland minister (to inform them of his or her portfolio responsibilities), we can do so and it is not a breach of the privacy principles.
Law enforcement areas of government (e.g. the Queensland Police Service or the Crime and Corruption Commission) that find, prevent, detect, investigate and take offenders to court, are allowed to not follow some of the privacy principles in certain circumstances, as long as they are satisfied on reasonable grounds that it is necessary.
The privacy principles do not apply to any of your personal information that has been published (information that is generally available for the public to see). For example, the principles would not apply to a book or a journal in a library or a public record in the state archives.
Posted letters and packages
The privacy principles do not apply to anything that is sent by mail while it is in transit (e.g. a letter with Australia Post).
The Act includes a list of documents that the privacy principles do not apply to. It does not matter which area of government holds these documents; they will always be exempt from the privacy rules. They are documents about:
- covert activity
- witness protection
- disciplinary action and misconduct
- public interest disclosure
- the cabinet and executive council
- commissions of inquiry.
Queensland Health and the national privacy principles
The Information Privacy Principles and National Privacy Principles are mostly the same. However, under the National Privacy Principles, Queensland Health must follow extra rules to protect your health and medical details. A basic overview of the key extra protections is below.
Anonymity—keeping your identity private
You can choose to give information without giving any details that identify you (so that Queensland Health cannot link your information and opinions to you). However, you can only do this at times where it is practical for you to do so and when the law does not require Queensland Health to know who you are.
Collecting your information
Queensland Health must take reasonable steps to give a collection notice (a statement that explains what your personal information is being collected for, why it is being collected and how it can be accessed) to anyone who they are seeking your personal information from (this could be you or someone else on your behalf). They must give this collection notice before or when they ask for information.
Queensland Health must not collect your sensitive information (i.e. information about your health, health history, wishes about future health decisions, disability, racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, memberships, sexual preferences, or criminal record) except when:
- you give consent
- the law requires them to collect your information
- they need your information to stop or reduce a serious threat to your life, health, safety or welfare and you are unable to give consent
- they need to collect your information for the establishment, or to exercise or defend a legal or equitable claim
- they need your medical history or social medial history to give someone (you, or another person) a health service, and they collect the information from
- the person getting the service
- your mother or father
- your child
- your sibling
- your spouse or de facto partner
- a relative you live with
- your legal guardian
- someone exercising their power under your enduring power of attorney
- your emergency contact.
Make a privacy complaint
You have the right to make a complaint if we breach one of your privacy rights.
Step 1—Make a complaint to the relevant office
Speak to the government office that you think has breached your privacy rights, over the counter or on the phone. When you speak to them, ask to talk to a privacy officer or, if they do not have one, their complaints area. If you are not happy with the response, send a written complaint (a letter or email) to the office telling them:
- that you called or spoke to someone at their office face-to-face and that you are not satisfied with the response
- which privacy principle you believe has been breached
- what made you think they breached the principle.
If they do not send you a response, or if you are not happy with the response they give you, you can make a written complaint to the Office of the Information Commissioner (Queensland), but you must wait 45 business days from when you first made your complaint.
Step 2—Make a complaint to the Office of the Information Commissioner
If the issue is a breach of your own privacy rights, you can make a complaint to the Office of the Information Commissioner Queensland online, by post or by email. See the privacy complaint checklist when writing your complaint. For further help with making your complaint, call (07) 3234 7373 (9am–5pm weekdays).
Write a complaint letter and post it to the Office of the Information Commissioner Queensland. Include your current contact details and explain the breach.
Attention: Privacy team
Office of the Information Commissioner
PO Box 10143
BRISBANE QLD 4000
Email firstname.lastname@example.org. Include your current contact details and explain the breach.
Step 3—Wait to hear from the Office of the Information Commissioner
The Office of the Information Commissioner Queensland:
- will tell you within 5 business days that they have got your complaint and discuss your complaint with you
- may contact you to ask for more information about the complaint
- will send you a letter or email to let you know if your complaint has been accepted (if accepted they will help to mediate the issue).
If your complaint is accepted
The Office of the Information Commissioner Queensland will:
- call the government office who breached your privacy
- write (by post or email) to you and the government office who breached your privacy
- attempt to resolve the complaint; this may mean they hold meetings with you and the government office.
If the Office of the Information Commissioner Queensland tries to resolve your complaint, but cannot do so, you can ask for your complaint to go to the Queensland Civil and Administrative Tribunal (QCAT). The Office of the Information Commissioner Queensland must refer your complaint to QCAT in 20 business days or less.
QCAT may mediate or hold a hearing and may order the government office that breached your privacy to do something such as making sure nothing similar ever happens again, apologising, or compensating you with an amount of money).
If your complaint is declined
If the Office of the Information Commissioner Queensland does not accept your complaint, there are no more options available for you to continue your complaint under the Act.
The Office of the Information Commissioner Queensland can:
- help you understand your privacy rights
- mediate privacy complaints that you have not been able to resolve with a Queensland Government agency.
You can contact the Office of the Information Commissioner Queensland by phone, fax, email, post or over the counter.
Call (07) 3234 7373.
Fax (07) 3405 1122.
Office of the Information Commissioner
PO Box 10143
BRISBANE QLD 4000
Over the counter
160 Mary Street
BRISBANE QLD 4000