The Queensland Information Privacy Act 2009 (the Act) provides a right for individuals to have their personal information collected and handled in accordance with certain rules or ‘privacy principles’.
The privacy principles only apply to Queensland Government agencies. The Act does not cover actions by individual citizens, private sector organisations or the community sector. Organisations with an annual turnover of more than $3 million and private sector health service providers are subject to the Australian Government's privacy legislation.
Personal information is any information about a person who can reasonably be identified (e.g. your name, address, phone number, email address, date of birth or photograph).
The privacy principles include:
- the Information privacy principles, which apply to all agencies other than health agencies
- the National privacy principles, which apply only to health agencies
- rules about transferring information outside Australia
- rules about entering into arrangements with contractors where the arrangement will involve an exchange of personal information.
The Office of the Information Commissioner (OIC) is an independent body that promotes privacy rights and obligations under the act.
Find out more about privacy principles and how they apply to certain situations, such as using drones or camera surveillance.
Collecting personal information
We must only collect information that is directly related to, and necessary for, our functions and activities. We must do so in a way that:
- is lawful and fair
- does not unreasonably intrude into your personal affairs.
We must also take reasonable steps to make you aware (before or at the time of collecting):
- why we are collecting it
- who we will give it to―if it is our usual practice to give it to someone outside the agency.
Storing personal information
When a government agency stores information, we must protect it from misuse, including unauthorised:
Applying to access or amend your personal information
We must make sure you can easily find out what information we hold about you and how we use it.
Using and disclosing personal information
When using or disclosing your personal information, we must first take reasonable steps to check it is correct and up to date. We can’t:
- use more of it than we need to
- use it for another purpose except in a permitted circumstance
- disclose it outside the agency except in a permitted circumstance.
These circumstances include if:
- you have given your express (or implied) permission
- it is reasonably necessary to lessen or prevent a serious threat to life, health, safety or welfare
- it is authorised or required under a law
- it is reasonably necessary for certain activities by or for a law enforcement agency.
The privacy principles for health agencies cover the same actions of collection, storage, use and disclosure; however, they contain different obligations.
For example, health agencies may only collect sensitive information (e.g. health information) in specific circumstances. A health agency may also give your personal information to someone outside the agency without relying on a permitted exception if the disclosure is for the purpose for which the information was obtained in the first place.
When the privacy principles don’t apply
There are exceptions to the privacy principles, which are explained in the Act. This ensures we can continue to carry out our legitimate business dealings.
- certain entities (e.g. a commission of inquiry)
- particular functions of entities (e.g. a court’s judicial functions)
- certain documents (e.g. Cabinet documents)
- giving information to a minister to inform them about matters relevant to their portfolio responsibilities.
Only some of the privacy principles apply to:
- information related to or connected with personal information you have published or given for the purpose of publication
- specific law enforcement activities of a law enforcement agency (in certain circumstances).
Make a privacy complaint
If you believe that we have handled your personal information in a way that is not consistent with the privacy principles, you have the right to make a privacy complaint.
Step 1—Make a complaint to the relevant agency
Before making a formal privacy complaint, try talking with the relevant business area in the agency―this is often the quickest and easiest way to address your concerns.
If you are not satisfied with their response, you can make a formal written privacy complaint through the complaints process set up by the agency, explaining the act or practice you are concerned about. It is a good idea to keep a copy of the complaint for your records.
After 45 business days, you can take your privacy complaint to the OIC if you:
- do not receive a response
- are not satisfied with the response the agency gives you.
Step 2—Make a complaint to the OIC
You can lodge your complaint with the OIC online, by post or by email. The privacy complaint checklist contains a series of questions to help you work out if the OIC can deal with your complaint.
You must make your complaint in writing. If you need help to put your complaint in writing, call (07) 3234 7373 between 8.30am and 4.30pm weekdays.
Your written complaint must include:
- details of the act or practice you are complaining about
- the date that you first complained to the agency
- copies of any relevant documents
- what you are seeking to resolve your complaint.
Attention: Privacy team
Office of the Information Commissioner
PO Box 10143
BRISBANE QLD 4000
133 Mary Street
BRISBANE QLD 4000
Step 3—Wait to hear from OIC
You should receive notice from the OIC that your privacy complaint has been received within 5 business days. The OIC will then assess whether the subject matter of your complaint shows an ‘arguable case’ that a privacy breach has occurred. They will then provide you with a written notice that sets out the reason for their decision.
If your complaint is accepted
If the OIC accepts your complaint, they will work with you and the respondent agency to agree on options that will resolve the complaint (mediation).
If it appears to the OIC that mediation is not likely to resolve your complaint, you can ask for your complaint to be referred to the Queensland Civil and Administrative Tribunal (QCAT).
If a privacy complaint is referred to QCAT, you and the respondent agency will be the parties to the hearing before QCAT.
If your complaint is declined
If the OIC does not accept your complaint, there are no more options available for you to continue your complaint under the Act.