Skip links and keyboard navigation

Privacy rights

The Queensland Information Privacy Act 2009 (PDF) (the Act) provides a right for individuals to have their personal information collected and handled in accordance with certain rules or ‘privacy principles’.

The privacy principles only apply to Queensland Government agencies. The Act does not cover actions by individual citizens, privacy sector organisations or the community sector. Organisations with an annual turnover of more than $3 million dollars and private sector health service providers are subject to the Commonwealth privacy legislation.

Personal information is any information about a person who can reasonably be identified (e.g. your name, address, phone number, email address, date of birth or photograph).

The privacy principles include:

The Office of the Information Commissioner (OIC) is an independent body that promotes privacy rights and obligations under the act.

Find out more about privacy principles and how they apply to certain situations, such as using drones or camera surveillance.

Collecting personal information

When a government agency collects information, we must only collect information that is directly related to, and necessary for, our functions and activities. We must do so in a way that:

  • is lawful and fair
  • does not unreasonably intrude into your personal affairs.

We must also take reasonable steps to make you aware (before or at the time of collecting):

  • why we are collecting it
  • who we will give it to―if it is our usual practice to give it to someone outside the agency.

Storing personal information

When a government agency stores information, we must protect it from misuse, including unauthorised:

  • access
  • use
  • modification
  • disclosure.

Applying for access to or amendment of your personal information

Using and disclosing personal information

When using, or disclosing your personal information, we must first take reasonable steps to check it is correct and up to date. We can’t:

  • use more of it than we need to
  • use it for another purpose except in a permitted circumstance
  • disclose it outside the agency except in a permitted circumstance.

These circumstances include:

  • if you have given your express (or implied) permission
  • if it is reasonably necessary to lessen or prevent a serious threat to life, health, safety or welfare
  • if it is authorised or required under a law
  • if it is reasonably necessary for a certain activities by or for a law enforcement agency.

Health agencies

The privacy principles for health agencies cover the same actions of collection, storage, use and disclosure, however, they do contain different obligations.

For example, health agencies may only collect sensitive information (such as health information) in specific circumstances. A health agency may also give your personal information to someone outside the agency without relying on a permitted exception if the disclosure is for the purpose for which the information was obtained in the first place.

When the privacy principles don’t apply

There are exceptions to the privacy principles, which are explained in the Act. This ensures we can continue to carry out our legitimate business dealings.

Exceptions include:

Only some of the privacy principles apply to:

Make a privacy complaint

If you believe that we have handled your personal information in a way that is not consistent with the privacy principles, you have the right to make a privacy complaint.

Step 1—Make a complaint to the relevant agency

Before making a formal privacy complaint, try talking with the agency―this is often the quickest and easiest way to address your concerns. When you speak to them, ask to talk to a privacy officer or, if they do not have one, their complaints area.

If you are not satisfied with their response, you will need to make a formal written privacy complaint through the complaints process set up by the agency, explaining the act or practice you are concerned about. It is a good idea to keep a copy of the complaint for your records.

After 45 business days, you can bring your privacy complaint to the OIC if:

  • you do not receive a response
  • you are not satisfied with the response they give you.

Step 2—Make a complaint to the OIC

You can lodge your complaint with the OIC online, by post or by email. The privacy complaint checklist contains a series of questions to help you work if the OIC is able to deal with your complaint.

You must make your complaint in writing. If you need help to put your complaint in writing, call (07) 3234 7373, 8:30am–4:30pm weekdays.

Your written complaint should include:

  • details of the act or practice you are complaining about
  • the date that you first complained to the agency
  • copies of any relevant documents
  • what you are seeking to resolve your complaint.

Online

Complete the online privacy complaint form.

By post

Attention: Privacy team
Office of the Information Commissioner
PO Box 10143
Adelaide Street
BRISBANE QLD 4000

By email

Email administration@oic.qld.gov.au.

Step 3—Wait to hear from OIC

You should receive notice from the OIC that your privacy complaint has been received within 5 business days. The OIC will then assess whether the subject matter of your complaint shows an ‘arguable case’ that a privacy breach has occurred. They will then provide you with a written notice that sets out the reason for their decision.

Find out what to expect when you lodge a privacy complaint.

If your complaint is accepted

If the OIC accepts your complaint, they will work with you and the respondent agency to agree on options that will resolve the complaint (mediation).

If it appears to the OIC that mediation is not likely to resolve your complaint , you can ask for your complaint to be referred to the Queensland Civil and Administrative Tribunal (QCAT).

If a privacy complaint is referred to QCAT, you and the respondent agency will be the parties to the hearing before QCAT, with no further involvement of the OIC.

If your complaint is declined

If the OIC does not accept your complaint, there are no more options available for you to continue your complaint under the Act.

Contact us

You can contact the OIC by phone, email, post or over the counter.

By phone

Call (07) 3234 7373.

By email

Email enquiries@oic.qld.gov.au.

By post

Office of the Information Commissioner
PO Box 10143
Adelaide Street
BRISBANE QLD 4000

Over the counter

Level 7
133 Mary Street
BRISBANE QLD 4000

Accessing and changing personal information we have about you

Visit the Office of Information Commissioner Queensland.

Last updated
25 May 2018
  1. Is your feedback about:
  2. (If you chose ‘website’ above)

    Page feedback

    1. How satisfied are you with your experience today? *
  3. (If you chose ‘service’ above)

    Feedback on government services, departments and staff

    Please use our complaints and compliments form.