Information Privacy Act 2009 (Qld)
Case
No judgment structure available for this case.
Information Privacy Act 2009
An Act to provide safeguards for the handling of personal information in the public sector environment
Chapter 1 Preliminary
Part 1 Introductory
1 Short title
This Act may be cited as the Information Privacy Act 2009.
2 Commencement
This Act commences on a day to be fixed by proclamation.
3 Object of Act
(1)The primary object of this Act is to provide for the fair collection and handling in the public sector environment of personal information.(2)The Act must be applied and interpreted to further the primary object.
4 [Repealed]
5 [Repealed]
6 Scope of personal information under this Act
This Act applies to the collection of personal information, regardless of when it came into existence, and to the storage, handling, accessing, amendment, management, transfer, use and disclosure of personal information regardless of when it was collected.
7 Relationship with other laws regulating personal information
(1)This Act is intended to operate subject to the provisions of other Acts regulating—(a)the collection, storage, handling, accessing, amendment, management, transfer and use of personal information; or(b)the disclosure, within the meaning of section 23, of personal information.(2)Without limiting subsection (1), the operation of QPPs 6.1 and 6.2(d) and the permitted health situation mentioned in schedule 4, section 5 do not override any law with respect to assisted and substituted decision-making, including, for example, the Guardianship and Administration Act 2000 and the Powers of Attorney Act 1998.
8 Relationship with other Acts regulating disposal of information
This Act does not affect the provisions of other Acts regulating the disposal of information (however described).
9 [Repealed]
10 Act binds State
This Act binds the State.
Part 2 Interpretation
11 Definitions
The dictionary in schedule 5 defines particular words used in this Act.
12 Meaning of personal information
Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—(a)whether the information or opinion is true or not; and(b)whether the information or opinion is recorded in a material form or not.
13 Meaning of held or holds in relation to personal information
Personal information is held by a relevant entity, or the entity holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant entity.
14 [Repealed]
15 Meaning of document
In this Act, a document does not include a document to which the privacy principle requirements do not apply.
16 Meaning of document to which the privacy principle requirements do not apply
In this Act, a document to which the privacy principle requirements do not apply means a document mentioned in schedule 1.
17 [Repealed]
18 Meaning of agency
(1)In this Act, an agency means—(a)a Minister; or(b)a department; or(c)a local government; or(d)a public authority.(2)However, in this Act, agency does not include an excluded entity.(3)For this Act—(a)a board, council, committee, subcommittee or other body established by government to help, or to perform functions connected with, an agency is not a separate agency, but is taken to be comprised within the agency; and(b)a reference to an agency includes a reference to a body that is taken to be comprised within the agency; and(c)a reference to local government includes a reference to the Wide Bay Water Corporation.(4)In this section—excluded entity means—(a)an entity mentioned in schedule 2, part 1; or(b)an entity mentioned in schedule 2, part 2 in relation to the function mentioned in that part.
19 [Repealed]
20 Special provision about application of Act to a Minister
If a provision of this Act applies to a Minister, the provision applies only for acts done, or practices engaged in, as the case may be, in the Minister’s capacity as a Minister in relation to the affairs of an agency administered by the Minister.
21 Meaning of public authority
(1)In this Act, public authority means any of the following entities—Note—
Under the Acts Interpretation Act 1954, schedule 1—entity includes a person and an unincorporated body.
(a)an entity—(i)established for a public purpose by an Act; or(ii)established by government under an Act for a public purpose, whether or not the public purpose is stated in the Act;(b)an entity created by the Governor in Council or a Minister;(c)another entity declared by regulation to be a public authority for this Act, being an entity—(i)supported directly or indirectly by government funds or other government assistance; or(ii)over which government is in a position to exercise control; or(iii)established under an Act; or(iv)given public functions under an Act;(d)subject to subsection (4), a person holding an office established under an Act;(e)a person holding an appointment—(i)made by the Governor in Council or Minister otherwise than under an Act; and(ii)declared by regulation to be an appointment the holder of which is a public authority for this Act.(2)For subsection (1)(c), an entity may be declared by regulation to be a public authority for this Act in relation to only a part of the entity’s functions.(3)A prescribed entity is not a public authority in relation to documents received, or created, by it in performing a function other than the public function given under an Act.(4)A person is not a public authority merely because the person holds—(a)an office the duties of which are performed as duties of employment as an agency’s officer; or(b)an office of member of a body; or(c)an office established under an Act for the purposes of an agency.(5)In this section—prescribed entity means an entity that is a public authority only because it is given public functions under an Act and is declared by regulation to be a public authority for this Act.
22 [Repealed]
23 What it means to disclose personal information and to use personal information
(1)An entity (the first entity) discloses personal information to another entity (the second entity) if—(a)the second entity does not know the personal information, and is not in a position to be able to find it out; and(b)the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and(c)the first entity ceases to have control over the second entity in relation to who will know the personal information in the future.(2)An entity uses personal information if it—(a)manipulates, searches or otherwise deals with the information; or(b)takes the information into account in the making of a decision; or(c)transfers the information from a part of the entity having particular functions to a part of the entity having different functions.(3)Subsection (2) does not limit what actions may be use of the personal information.(4)However, use of the personal information does not include the action of disclosing the personal information to another entity.
24 References to doing an act or engaging in a practice
In this Act, a reference to doing an act or engaging in a practice in contravention of a requirement includes a reference to a failure to act or a failure to engage in a practice in contravention of the requirement.
25 [Repealed]
Chapter 2 Queensland privacy principles
Part 1 Compliance with QPPs by agencies
26 Queensland privacy principles
(1)Each Queensland privacy principle (QPP) is set out in schedule 3.(2)In this Act, a reference to a QPP followed by a number is a reference to the provision of schedule 3 having that number.
27 Agencies to comply with QPPs
(1)An agency must comply with the QPPs.Note—
For the application of the Act in relation to a Minister, see also section 20.(2)Without limiting subsection (1), the agency must not do an act or engage in a practice that contravenes, or is otherwise inconsistent with, a requirement of a QPP.(3)An act or practice mentioned in subsection (2) includes any act or practice relating to the agency’s collection, storage, handling, accessing, amendment, management, transfer, use or disclosure of personal information.
28 Noncompliance with particular QPPs
(1)An agency is not required to comply with a prescribed QPP in relation to an individual’s personal information if the information is related to or connected with personal information of the individual that has previously been published, or given for the purpose of publication, by the individual.(2)In this section—prescribed QPP means QPP 6 or 10.2.publish, for personal information, means publish the information by way of television, newspaper, radio, internet or other form of communication.
29 Special provision for law enforcement agencies
(1)A law enforcement agency is not subject to QPP 3.6, 5, 6 or 10.1, but only if the law enforcement agency is satisfied on reasonable grounds that noncompliance with the QPP is necessary for—(a)if the enforcement agency is the Queensland Police Service—the performance of its activities related to the enforcement of laws; or(b)if the enforcement agency is the Crime and Corruption Commission—the performance of its activities related to the enforcement of laws and its intelligence functions; or(c)if the enforcement agency is the community safety department—the containment, supervision and rehabilitation of offenders under the Corrective Services Act 2006 and the supervision of prisoners subject to supervision orders or interim supervision orders under the Dangerous Prisoners (Sexual Offenders) Act 2003; or(d)if the enforcement agency is any other law enforcement agency—the performance of its responsibility mentioned in schedule 5, definition law enforcement agency, paragraph (b)(iv), including the conduct of proceedings started or about to be started in a court or tribunal in relation to the responsibility.(2)In this section—intelligence functions means the functions mentioned in the Crime and Corruption Act 2001, section 53.
Part 2 Disclosure of personal information outside Australia
30 [Repealed]
31 [Repealed]
32 [Repealed]
33 Disclosure of personal information outside Australia
An agency may disclose an individual’s personal information to an entity outside Australia only if—(a)the individual agrees to the disclosure; or(b)the disclosure is authorised or required under a law; or(c)the agency is satisfied on reasonable grounds that the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare; or(d)2 or more of the following apply—(i)the agency reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract that effectively upholds principles for the fair handling of personal information that are substantially similar to the QPPs;(ii)the disclosure is necessary for the performance of the agency’s functions in relation to the individual;(iii)the disclosure is for the benefit of the individual but it is not practicable to seek the agreement of the individual, and if it were practicable to seek the agreement of the individual, the individual would be likely to give the agreement;(iv)the agency has taken reasonable steps to ensure that the personal information it discloses will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the QPPs.
Part 3 Compliance with parts 1 and 2 and s 41 by contracted service providers
34 Meaning of service arrangement
(1)In this Act, a service arrangement is a contract or other arrangement entered into after the commencement of this section under which an entity other than an agency (the contracted service provider) agrees or otherwise arranges with an agency (the contracting agency) to provide services.(2)For subsection (1)—(a)the services must be for the purposes of the performance of 1 or more of the contracting agency’s functions; and(b)the services must be provided either—(i)directly to the contracting agency; or(ii)to another entity on the contracting agency’s behalf; and(c)the contracted service provider must not be in the capacity of employee of the contracting agency in providing the services.
35 Binding a contracted service provider to privacy principle requirements
(1)An agency entering into a service arrangement must take all reasonable steps to ensure that the contracted service provider is required to comply with parts 1 and 2 and section 41, as if it were the agency, in relation to the discharge of its obligations under the arrangement.(2)However, the agency must comply with subsection (1) only if—(a)the contracted service provider will in any way deal with personal information for the contracting agency; or(b)the provision of services under the arrangement will involve—(i)the transfer of personal information to the contracting agency; or(ii)the provision of services to a third party for the contracting agency.(3)The agency is not required to comply with subsection (1) if—(a)the contracted service provider is to receive funding from the contracting agency; and(b)the contracted service provider will not collect personal information for the contracting agency; and(c)the contracted service provider will not receive any personal information from the contracting agency for the purposes of discharging its obligations; and(d)the contracted service provider will not be required to give the contracting agency any personal information it collects in discharging its obligations.(4)Subsections (1) to (3) are not intended to limit what may be provided for in a service arrangement about the contracted service provider’s collection, storage, handling, accessing, amendment, management, transfer, use or disclosure of personal information, whether or not the contracted service provider is a bound contracted service provider.
36 Bound contracted service provider to comply with privacy principle requirements
(1)A bound contracted service provider under a service arrangement must comply with parts 1 and 2 and section 41 in relation to the discharge of its obligations under the arrangement as if it were the entity that is the contracting agency.(2)The requirement to comply under subsection (1) continues to apply to the bound contracted service provider in relation to personal information it continues to hold after its obligations under the service arrangement otherwise end.(3)A bound contracted service provider’s compliance with the privacy principle requirements may be enforced under this Act as if it were an agency.(4)Subsections (1) to (3) are not intended to prevent a service arrangement from including a requirement for the contracted service provider to comply with all or part of the privacy principles even though this part does not require that the service arrangement include the requirement.
37 Contracting agency to comply with privacy principles if contracted service provider not bound
(1)This section applies if a contracted service provider under a service arrangement is not a bound contracted service provider because the contracting agency under the service arrangement did not take the steps required of it under section 35.(2)The obligations that would attach to the contracted service provider if it were a bound contracted service provider attach instead to the contracting agency under the arrangement.
Part 5 Provision of information to Ministers
38 Personal information relevant to portfolio responsibilities
An agency does not contravene the requirement under this Act that it comply with the QPPs only because it gives personal information to a Minister to inform the Minister about matters relevant to the Minister’s responsibilities in relation to the agency.
Part 6 Miscellaneous
39 Nature of rights created by pts 1 to 3
(1)Except as provided for under the procedures set out in this Act, an obligation imposed on an entity under part 1, 2 or 3 does not—(a)give rise to any civil cause of action; or(b)operate to create in any person any legal right enforceable in a court or tribunal.(2)Subsection (1) does not limit chapter 5.
Chapter 3 QPP codes and guideline for permitted general situations
Part 1 QPP codes
40 QPP codes
(1)A QPP code is a written code of practice about information privacy, approved by regulation under section 43, that states—(a)how 1 or more of the QPPs are to be applied or complied with; and(b)the agencies that are bound by the code, or a way of determining the agencies that are bound by the code.(2)A QPP code may also impose additional requirements to those imposed by a QPP, to the extent the additional requirements are not inconsistent with a QPP.(3)A QPP code expires on the earlier of the following days—(a)the day that is 5 years after the day the QPP code is approved under section 43;(b)if the QPP code states an expiry day—the stated day.
41 Agencies must comply with QPP codes
An agency must not do an act, or engage in a practice, that contravenes a QPP code that is in effect and binds the agency.
42 Preparing QPP codes
(1)The information commissioner or an agency may prepare a draft QPP code or draft amendment of a QPP code and submit the draft to the Minister for endorsement.(2)However, before the information commissioner or agency submits the draft code or amendment to the Minister, the commissioner or agency must—(a)publish the draft on an accessible agency website; and(b)invite the public to make submissions to the commissioner or agency about the draft within a stated period of at least 20 business days; and(c)consider any submissions made within the stated period.(3)An agency must, immediately after publishing a draft QPP code or draft amendment of a QPP code under subsection (2), notify the information commissioner of the publication.
43 Approval of QPP codes or amendments of QPP codes
(1)This section applies if a draft QPP code or draft amendment of a QPP code is submitted to the Minister under section 42.(2)If the draft is submitted by an agency, the Minister must ask the information commissioner for submissions about the draft.(3)The Minister must decide to endorse or refuse to endorse the draft, having regard to—(a)any submissions made by the information commissioner; and(b)any other relevant matter.(4)If the Minister endorses the draft, the Minister must recommend to the Governor in Council the making of a regulation approving the QPP code or amended QPP code.(5)The QPP code or amended QPP code—(a)does not take effect unless it is approved by regulation; and(b)takes effect on the day prescribed by regulation for the code or amended code.(6)The information commissioner must, as soon as practicable after a regulation approving a QPP code or amended QPP code is made, publish the code or amended code on the commissioner’s website.
Part 2 Guideline for permitted general situations
44 Preparing guideline
(1)The information commissioner may—(a)prepare a draft guideline about the collection, use or disclosure of personal information to assist an entity locate a person who has been reported as missing; and(b)submit the draft to the Minister for endorsement.(2)However, before the information commissioner submits the draft guideline to the Minister, the commissioner must—(a)publish the draft on the commissioner’s website; and(b)invite the public to make submissions to the commissioner about the draft within a stated period of at least 20 business days; and(c)consider any submissions made within the stated period.
45 Approval of guideline
(1)This section applies if a draft guideline is submitted to the Minister under section 44.(2)The Minister must decide to endorse or refuse to endorse the draft.(3)If the Minister endorses the draft, the Minister must recommend to the Governor in Council the making of a regulation approving the guideline.(4)The guideline—(a)does not take effect unless it is approved by regulation; and(b)takes effect on the day prescribed by regulation for the guideline; and
(c)expires 5 years after the day mentioned in paragraph (b).(5)The information commissioner must, as soon as practicable after a regulation approving a guideline is made under this section, publish the guideline on the commissioner’s website.
Chapter 3A Mandatory notification of data breaches
Part 1 Preliminary
46 Application of chapter
This chapter applies in relation to personal information, other than personal information in a document to which the privacy principle requirements do not apply, held by an agency.
47 Meaning of eligible data breach
(1)An eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if—(a)both of the following apply—(i)the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information;(ii)the access or disclosure is likely to result in serious harm to an individual (an affected individual) to whom the personal information relates, having regard to the matters stated in subsection (2); or(b)the data breach involves the personal information being lost in circumstances where—(i)unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and(ii)if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual) to whom the personal information relates, having regard to the matters stated in subsection (2).(2)For subsection (1)(a)(ii) and (b)(ii), the matters are—(a)the kind of personal information accessed, disclosed or lost; and(b)the sensitivity of the personal information; and(c)whether the personal information is protected by 1 or more security measures; and(d)if the personal information is protected by 1 or more security measures—the likelihood that any of those security measures could be overcome; and(e)the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and(f)the nature of the harm likely to result from the data breach; and(g)any other relevant matter.
Part 2 Assessment of suspected eligible data breaches
48 Obligations of agencies in relation to data breaches
(1)This section applies in relation to a data breach of an agency if the agency knows, or reasonably suspects, that the data breach is an eligible data breach of the agency.(2)The agency must—(a)immediately, and continue to, take all reasonable steps to—(i)contain the data breach; and(ii)mitigate the harm caused by the data breach; and(b)if the agency does not know whether the data breach is an eligible data breach of the agency—assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.(3)An assessment under subsection (2)(b) must be completed within—(a)30 days after the suspicion mentioned in subsection (1) was formed; or(b)if the period mentioned in paragraph (a) is extended under section 49—the extended period.(4)If, at any time, the agency becomes aware the data breach may affect another agency, the agency must give a written notice to the other agency of the data breach that includes—(a)a description of the data breach; and(b)a description of the kind of personal information the subject of the data breach, without including any personal information in the description.(5)The agency need not comply with subsections (2)(b) and (3) in relation to the data breach if—(a)all of the personal information the subject of the data breach is also the subject of a data breach of 1 or more other agencies; and(b)at least 1 of the other agencies has undertaken to conduct the assessment in relation to the data breach.
49 Extension of period for assessment by agency
(1)This section applies if an agency required to conduct an assessment under section 48 is satisfied the assessment can not reasonably be completed within the 30 day period mentioned in section 48(3)(a).(2)The agency may extend the period within which the assessment must be completed by no longer than the period reasonably required for the agency to complete the assessment.(3)If the period is extended under subsection (2), the agency must, within the 30 day period mentioned in section 48(3)(a)—(a)start the assessment; and(b)give a written notice to the information commissioner stating—(i)that the assessment has started; and(ii)the period within which the assessment must be completed has been extended under this section; and(iii)the day the extended period ends.(4)The information commissioner may ask the agency to provide further information or updates about the progress of the assessment.
Part 3 Notifying eligible data breaches
Division 1 Preliminary
50 Application of part
(1)This part applies if an agency reasonably believes that there has been an eligible data breach of the agency.(2)However, division 2 does not apply in relation to the agency to the extent an exemption applies to the agency under division 3.
Division 2 Notification
51 Agency must give statement about eligible data breach to information commissioner
(1)The agency must, as soon as practicable after forming the belief mentioned in section 50—(a)prepare a statement that includes the information stated in subsection (2); and(b)give the statement to the information commissioner.(2)For subsection (1)(a), the statement must, to the extent it is reasonably practicable, include the following information—(a)the information that must be included in a notification given under section 53(2)(a) to (e), (h) and (i);(b)a description of the kind of personal information the subject of the data breach, without including any personal information in the description;(c)the agency’s recommendations about the steps individuals should take in response to the data breach;(d)whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies;(e)the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of each of the following—(i)the individuals whose personal information has been accessed, disclosed or lost;(ii)affected individuals for the data breach;(f)either—(i)the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number; or(ii)if section 57 is relied on, the total number of individuals who would have been notified if that section had not been relied on or, if it is not reasonably practicable to work out the total number, an estimate of the total number;(g)whether the individuals notified have been advised about how to make a privacy complaint to the agency under section 166A.
52 Further information to be provided
(1)This section applies if it is not reasonably practicable to include any information required under section 51 when the statement is given to the information commissioner under that section, including, for example, the total number of individuals mentioned in section 51(2)(e) or (f).(2)The agency must take all reasonable steps to provide the information to the commissioner as soon as practicable after the statement is given.
53 Agencies must notify particular individuals
(1)The agency must, as soon as practicable after the belief mentioned in section 50 is formed—(a)if it is reasonably practicable to notify each individual whose personal information has been accessed, disclosed or lost—take reasonable steps to notify each individual of the information mentioned in subsection (2); or(b)if paragraph (a) does not apply and it is reasonably practicable to notify each affected individual for the data breach—take reasonable steps to notify each affected individual of the information mentioned in subsection (2); or(c)if paragraphs (a) and (b) do not apply—publish the information mentioned in subsection (2) on an accessible agency website for a period of at least 12 months, other than information that would prejudice the agency’s functions.(2)A notification under subsection (1) must, to the extent it is reasonably practicable, include the following information—(a)the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;(b)the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach;(c)the date the data breach occurred;(d)a description of the data breach, including the type of eligible data breach under section 47;(e)information about how the data breach occurred;(f)for a notification under subsection (1)(a) or (b)—(i)a description of the personal information the subject of the data breach; and(ii)the agency’s recommendations about the steps the individual should take in response to the data breach;(g)for a notification under subsection (1)(c)—(i)a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and(ii)the agency’s recommendations about the steps individuals should take in response to the data breach;(h)if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made;(i)the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach;(j)information about how an individual may make a privacy complaint to the agency under section 166A.(3)The agency must, as soon as practicable after a notice is published under subsection (1)(c), provide the information commissioner with information about how to access the notice.(4)The information commissioner must, after receiving the information under subsection (3), publish on the commissioner’s website information about how to access the notice for a period of at least 12 months.
54 Particular agencies may collect, use and disclose relevant personal information for notification
(1)A regulation may prescribe—(a)an agency (a disclosing agency) that may, under this section, disclose relevant personal information to another agency; and(b)an agency (a receiving agency) that may, under this section, collect and use relevant personal information from a disclosing agency and disclose relevant personal information to the disclosing agency.(2)A disclosing agency may disclose relevant personal information held by the agency to a receiving agency if the receiving agency is the subject of an eligible data breach.(3)The receiving agency may collect and use relevant personal information from a disclosing agency, and disclose relevant personal information to the disclosing agency, if it is reasonably necessary for the purpose of confirming—(a)the name and contact details of a notifiable individual; or(b)whether a notifiable individual is deceased.(4)A disclosing agency or receiving agency is not required to comply with a QPP in relation to the disclosure, collection or use of relevant personal information under this section.(5)For subsection (2), an eligible data breach includes—(a)a data breach that an agency reasonably believes is an eligible data breach; and(b)a suspected data breach of an agency mentioned in section 61(1), whether or not the information commissioner has made a recommendation under section 61(4).(6)If a disclosing agency may, under an Act, enter into an arrangement and charge a fee for the provision of personal information kept by the agency under that Act, the agency may do so under that Act in relation to personal information that may be disclosed under this section.(7)In this section—identifier, for an individual, means an identifier other than solely the individual’s name, including, for example, a number, that is—(a)assigned to the individual in relation to the individual’s personal information by an entity for the purpose of uniquely identifying that individual, whether or not it is subsequently used other than in relation to the personal information; or(b)adopted, used or disclosed in relation to the individual’s personal information by an entity for the purpose of uniquely identifying the individual.notifiable individual means—(a)an individual mentioned in section 53(1)(a) or (b); or(b)an individual the information commissioner recommends should be notified under section 61(4).relevant personal information means the following information about an individual—(a)the name of the individual;(b)the contact details of the individual;(c)the date of birth of the individual;(d)an identifier for the individual;(e)if the individual is deceased—the date of the individual’s death.
Division 3 Exemptions
55 Exemption—investigations and proceedings
An agency need not comply with division 2 to the extent complying with that division is likely to prejudice—(a)an investigation that could lead to the prosecution of an offence; or(b)proceedings before a court or tribunal.
56 Exemption—eligible data breach of more than 1 agency
(1)This section applies if—(a)an agency is not required to comply with requirements about assessing a data breach under section 48(2)(b) and (3) because section 48(5) applies to the agency; and(b)another agency is required to comply with division 2 in relation to the data breach.(2)The agency need not comply with division 2 in relation to the data breach.
57 Exemption—agency has taken remedial action
(1)This section applies in relation to an eligible data breach of an agency if—(a)for a data breach involving unauthorised access to, or disclosure of, personal information—(i)the agency takes action to mitigate the harm caused by the data breach; and(ii)the action is taken before the access or disclosure results in serious harm to any individual; and(iii)as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or(b)for a data breach involving the loss of personal information—(i)the agency takes action to mitigate the loss; and(ii)the action is taken before there is unauthorised access to, or disclosure of, the personal information; and(iii)as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or(c)for a data breach involving the loss of personal information—(i)the agency takes action to mitigate the loss; and(ii)the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and(iii)as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.(2)The agency need not comply with section 53 in relation to the eligible data breach.
58 Exemption—inconsistency with confidentiality provision
An agency need not comply with division 2 in relation to an eligible data breach of the agency to the extent the compliance would be inconsistent with a provision of an Act of the Commonwealth or a State that prohibits or regulates the use or disclosure of the information.
59 Exemption—serious risk of harm to health or safety
(1)An agency need not comply with section 53 in relation to an eligible data breach to the extent compliance would create a serious risk of harm to an individual’s health or safety, having regard to, for example—(a)whether the harm caused by complying with division 2 is greater than the harm of not complying with that division; and(b)the currency of the information relied on.(2)If an agency relies on this section, the agency must give a written notice to the information commissioner stating—(a)the extent to which the agency is exempt from complying with division 2 under this section; and(b)whether or not the exemption is permanent or temporary; and(c)if the exemption is temporary—when the agency expects the exemption will stop applying.
60 Exemption—compromise to cybersecurity
(1)An agency need not comply with section 53 in relation to an eligible data breach if compliance is likely to—(a)compromise or worsen the agency’s cybersecurity; or(b)lead to further data breaches of the agency.(2)The exemption applies only for the period during which a matter mentioned in subsection (1)(a) or (b) continues to apply for the agency in relation to the eligible data breach.(3)If an agency relies on this section, the agency must give a written notice to the information commissioner stating—(a)the agency is exempt from complying with division 2 under this section; and(b)when the agency expects the exemption will stop applying; and(c)how the agency will review the application of the exemption.(4)The agency must—(a)review the application of the exemption each month for the period during which the exemption is relied on; and(b)give the commissioner a summary of the review as soon as practicable after it is completed.
Part 4 Role of information commissioner
61 Information commissioner may direct agency to give statement and make recommendations
(1)This section applies if the information commissioner reasonably suspects a data breach of an agency may be an eligible data breach of the agency.(2)The information commissioner may, after complying with subsections (5) and (6), direct the agency by written notice to prepare and give to the commissioner a statement providing the following information—(a)the name and contact details of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;(b)a description of the data breach, including the kind of personal information involved in the data breach;(c)recommendations about the steps an individual who may be affected by the data breach should take in response to the data breach;(d)any other information related to the data breach requested by the commissioner.(3)The agency must comply with the direction.(4)If a direction is given under subsection (2), the information commissioner may also, after complying with subsections (5) and (6), recommend to the agency that the agency notify individuals under section 53 as if the agency reasonably believed the data breach were an eligible data breach.(5)Before giving a direction under subsection (2) or making a recommendation under subsection (4), the information commissioner must invite the agency to make a submission to the commissioner, within a reasonable period, about the data breach.(6)Without limiting the matters the information commissioner may consider, in deciding whether to give a direction under subsection (2) or make a recommendation under subsection (4), the information commissioner must have regard to the following—(a)any advice given to the information commissioner by a law enforcement agency;(b)any submission made by the agency under subsection (5).
Part 5 Investigations
Division 1 Authorised officers
62 Functions
The functions of an authorised officer are to monitor and investigate whether an occasion has arisen for the exercise of the information commissioner’s powers that relate to an agency’s compliance with this chapter.
63 Appointment
The information commissioner may, by instrument in writing, appoint an appropriately qualified person as an authorised officer.
64 Identity cards
(1)The information commissioner must issue an identity card to each authorised officer.(2)The identity card must—(a)contain a recent photo of the authorised officer; and(b)contain a copy of the signature of the information commissioner and authorised officer; and(c)identify the person as an authorised officer under this part; and(d)state an expiry date for the card.
65 Production or display of identity card
(1)In exercising a power in relation to a person in the person’s presence or by audio visual link, an authorised officer must—(a)produce the authorised officer’s identity card for the person’s inspection before exercising the power; or(b)have the identity card displayed so it is clearly visible to the person when exercising the power.
(2)However, if it is not practicable to comply with subsection (1), the authorised officer must produce the identity card for the person’s inspection at the first reasonable opportunity.
66 Return of identity card
If the office of a person as an authorised officer ends, the person must return the person’s identity card to the information commissioner within 15 business days after the office ends unless the person has a reasonable excuse.Maximum penalty—10 penalty units.
Division 2 Entry of places occupied by agencies
67 General power to enter places occupied by agency
An authorised officer may enter an agency’s place of business, or another place occupied by the agency, if either of the following apply—(a)the agency has consented to the commissioner’s request for entry made under section 68;(b)the agency has failed to consent to the commissioner’s request for entry made under section 68, and the entry is made in compliance with the notice given for the entry under section 68(2).
68 Information commissioner must give written notice of entry
(1)Before an authorised officer enters a place occupied by an agency under section 67, the information commissioner must, by written notice, ask the agency to consent to an authorised officer entering the place.(2)The notice must—(a)explain the purpose of the entry, including the powers intended to be exercised; and(b)propose a reasonable date and time for the entry; and(c)ask for the agency’s principal officer’s written consent to the entry to be given to the information commissioner within a stated reasonable period; and(d)if the place is the agency’s place of business, state that if the written consent is not given to the commissioner within the stated period, an authorised officer may enter the place on a stated reasonable date and at a stated reasonable time when the place—(a)is open for carrying on the business; or(b)is otherwise open for entry.(3)If the notice is given to an agency, the agency must take all reasonable steps to facilitate entry by an authorised officer on the date and time consented to or stated under subsection (2)(d).Maximum penalty—100 penalty units.
(4)For subsection (2)(d), an agency’s place of business does not include a part of the place where a person resides.
Division 3 Powers of authorised officers
69 General powers
(1)If an authorised officer enters a place under section 67, the authorised officer may do the following—(a)require a person at the place who has the necessary skills or knowledge to demonstrate the data handling systems and practices of the agency that relate to the agency’s compliance with this chapter;(b)inspect a document that is relevant to the systems, policies and practices of the agency that relate to the agency’s compliance with this chapter;(c)remain at the place for the time necessary to achieve the purpose of the entry.(2)Also, if the agency agrees, an authorised officer may exercise a power mentioned in subsection (1)(a) or (b) by audio visual link provided by the agency.(3)In this section—audio visual link means facilities that enable reasonably contemporaneous and continuous audio and visual communication between persons at different places and includes videoconferencing.
70 Power to require reasonable help
(1)If an authorised officer enters a place occupied by an agency under section 67, the authorised officer may require a person at the place to give the authorised officer reasonable help to exercise a power under that section, including, for example, to demonstrate data handling systems and practices or produce a document.(2)When making a requirement under subsection (1), the authorised officer must give the person an offence warning for the requirement.(3)In this section—offence warning, for a requirement made by an authorised officer under subsection (1), means a warning that, without a reasonable excuse, it is an offence for the person of whom the requirement is made not to comply with the requirement.
71 Offence to contravene help requirement
(1)A person of whom a requirement is made under section 70(1) must comply with the requirement unless the person has a reasonable excuse.Maximum penalty—100 penalty units.
(2)It is a reasonable excuse for an individual not to comply with a requirement under section 70(1) if complying with the requirement might—(a)tend to incriminate the individual or expose the individual to a penalty; or(b)result in the disclosure of information that is the subject of legal professional privilege; or(c)result in the disclosure of confidential information in contravention of a law.(3)However, subsection (2) does not apply if a document or information the subject of the help requirement is required to be held or kept by the individual under this Act.Note—
See, however, section 74.
Part 6 Miscellaneous
72 Agency must keep register
(1)An agency must keep a register of eligible data breaches of the agency.(2)The register must include the following information for each eligible data breach—(a)a description of the eligible data breach, including the type of data breach under section 47;(b)if a statement is required for the eligible data breach under section 51—the date the statement is provided;(c)if further information about the eligible data breach is required to be given to the information commissioner under section 52—each date the further information is given;(d)if individuals are notified of the eligible data breach under section 53(1)(a) or (b)—the individuals notified and the date and method used to notify the individuals;(e)if the agency relied on an exemption under part 3, division 3—the exemption relied on;(f)details of the steps taken by the agency to—(i)contain the eligible data breach under section 48(2)(a) or (4)(a); and(ii)mitigate the harm caused by the eligible data breach under section 48(4)(a);(g)details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.(3)If it is not practicable to include any or all of the information mentioned in subsection (2) for an eligible data breach at a particular time, the agency must record the information in the register as soon as it is practicable to do so.
73 Agency must publish data breach policy
(1)An agency must prepare and publish a policy about how it will respond to a data breach, including a suspected eligible data breach, of the agency.(2)The policy must be published on an accessible agency website.
74 Evidential immunity for individuals complying with particular requirements
(1)Subsection (2) applies if an individual gives information to an authorised officer under section 69 or 70(1).(2)Evidence of the information, and other evidence directly or indirectly derived from the information, is not admissible against the individual in any proceeding to the extent it tends to incriminate the individual, or expose the individual to a penalty, in the proceeding.(3)Subsection (2) does not apply to a proceeding about the false or misleading nature of the information or anything in which the false or misleading nature of the information is relevant evidence.
75 [Repealed]
76 [Repealed]
77 [Repealed]
78 [Repealed]
79 [Repealed]
80 [Repealed]
81 [Repealed]
82 [Repealed]
83 [Repealed]
84 [Repealed]
85 [Repealed]
86 [Repealed]
87 [Repealed]
88 [Repealed]
89 [Repealed]
90 [Repealed]
91 [Repealed]
92 [Repealed]
93 [Repealed]
94 [Repealed]
95 [Repealed]
96 [Repealed]
97 [Repealed]
98 [Repealed]
99 [Repealed]
100 [Repealed]
101 [Repealed]
102 [Repealed]
103 [Repealed]
104 [Repealed]
105 [Repealed]
106 [Repealed]
107 [Repealed]
108 [Repealed]
109 [Repealed]
110 [Repealed]
111 [Repealed]
112 [Repealed]
113 [Repealed]
114 [Repealed]
115 [Repealed]
116 [Repealed]
117 [Repealed]
118 [Repealed]
119 [Repealed]
120 [Repealed]
121 [Repealed]
122 [Repealed]
123 [Repealed]
124 [Repealed]
125 [Repealed]
126 [Repealed]
127 [Repealed]
128 [Repealed]
129 [Repealed]
130 [Expired]
131 [Repealed]
132 [Repealed]
133 [Repealed]
Chapter 4 Information Commissioner and Privacy Commissioner
Note—
A reference in this chapter to an agency includes a reference to a Minister, a department, a local government or a public authority—see section 18.
Part 1 Functions of information commissioner under this Act
134 Information commissioner not subject to direction
(1)The information commissioner is not subject to direction by any person about—(a)the way in which the commissioner’s powers are to be exercised in the performance of a function under section 135 or 136; or(b)the priority to be given to investigations, reviews, audits mentioned in section 135(1)(b)(iii) and privacy complaints under this Act.(2)Subsection (1) has effect despite the Public Sector Act 2022.
135 Performance monitoring, investigation and support functions
(1)The functions of the information commissioner include—(a)on the commissioner’s own initiative or otherwise—(i)conducting—(A)reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or(B)reviews of acts or practices of agencies in relation to compliance with chapter 3A, including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and(ii)investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A; and(b)leading the improvement of public sector privacy administration in Queensland by taking appropriate action to—(i)promote understanding of and compliance with this Act; and(ii)provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and(iii)monitor and audit relevant entities’ compliance with this Act; and(iv)initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and(v)comment on any issues relating to the administration of privacy in the public sector environment; and(vi)without limiting subparagraph (v), identify and comment on legislative and administrative changes that would improve the administration of this Act; and(vii)prepare, or assist in the preparation of, QPP codes; and(viii)assist relevant entities in complying with obligations under QPP codes; and(ix)prepare guidelines for permitted general situations under chapter 3, part 2; and(c)issuing guidelines under section 138; and(d)supporting complainants for privacy complaints, and all relevant entities to the extent they are subject to the operation of this Act; and(e)if the commissioner considers it appropriate, reporting to the Speaker on the findings of a reportable matter, including reporting any recommendations to the relevant entity the subject of the reportable matter.(2)In this section—reportable matter means—(a)a review or investigation under subsection (1)(a); or(b)an audit under subsection (1)(b)(iii).
136 Decision-making functions
The functions of the information commissioner include—(a)waiving or modifying—(i)an obligation of a relevant entity to comply with the privacy principle requirements; or(ii)an obligation of an agency to comply with chapter 3A, part 2 or 3 or section 72 or 73; and(b)issuing compliance notices under part 6; and(c)dealing with privacy complaints under chapter 5.
137 [Repealed]
138 Power to issue guidelines
(1)The information commissioner may issue a guideline about any matter relating to the information commissioner’s functions, including, for example, guidelines about—(a)the interpretation and administration of this Act; and(b)best practice for relevant entities in relation to information privacy generally; and(c)the application of the privacy principle requirements, including the factors to be considered in determining whether the QPPs are being complied with.(2)To remove any doubt, it is declared that—(a)this section does not limit the information commissioner’s power to make guidelines under the Right to Information Act, section 132; and(b)a guideline issued under that Act may include guidelines relating to the information commissioner’s functions under this Act.
Part 2 Staff of Office of Information Commissioner in relation to this Act
139 Delegation
The information commissioner may delegate to a member of the staff of the OIC all or any of the commissioner’s powers under this Act.
140 Staff subject only to direction of information commissioner
(1)The staff of the OIC are not subject to direction by any person, other than the information commissioner or a person authorised by the commissioner, about the performance of the commissioner’s functions under this Act.(2)Subsection (1) has effect despite the Public Sector Act 2022.
Part 3 Privacy Commissioner
141 The Privacy Commissioner
(1)There is to be a Privacy Commissioner (the privacy commissioner).(2)The privacy commissioner is a member of the staff of the OIC.
142 Role and function of privacy commissioner
(1)The privacy commissioner’s role is that of a deputy to the information commissioner, with particular responsibility for matters relating to the information commissioner’s functions under this Act.(2)The privacy commissioner’s function is to perform the functions of the information commissioner under this Act to the extent the functions are delegated to the privacy commissioner by the information commissioner.
143 Privacy commissioner subject to direction of information commissioner
The privacy commissioner is subject to the direction of the information commissioner.
144 Appointment
(1)The privacy commissioner is appointed by the Governor in Council.(2)The privacy commissioner is appointed under this Act and not under the Public Sector Act 2022.
145 Procedure before appointment
(1)A person may be appointed as privacy commissioner only if—(a)the Minister has placed press advertisements nationally calling for applications from suitably qualified persons to be considered for appointment; and(b)the Minister has consulted with the parliamentary committee about—(i)the process of selection for appointment; and(ii)the appointment of the person as privacy commissioner.(2)Subsection (1)(a) and (b)(i) does not apply to the reappointment of a person as privacy commissioner.
146 Term of appointment
(1)The privacy commissioner holds office for the term, of not more than 5 years, stated in the instrument of appointment.(2)However, a person being reappointed as privacy commissioner can not be reappointed for a term that would result in the person holding office as privacy commissioner for more than 10 years continuously.
147 Remuneration and conditions
(1)The privacy commissioner must be paid remuneration and other allowances decided by the Governor in Council.(2)The remuneration paid to the privacy commissioner must not be reduced during the commissioner’s term of office without the commissioner’s written agreement.(3)In relation to matters not provided for by this Act, the privacy commissioner holds office on the terms and conditions decided by the Governor in Council.
148 Leave of absence
The information commissioner may approve a leave of absence for the privacy commissioner in accordance with entitlements available to the privacy commissioner under the privacy commissioner’s conditions of office.
149 Preservation of rights if public service officer appointed
(1)A public service officer who is appointed to the office of privacy commissioner or who is appointed to act in the office is entitled to retain all existing and accruing rights as if service in the office were a continuation of service as a public service officer.(2)If the person stops holding the office for a reason other than misconduct, the person is entitled to be employed as a public service officer.(3)The person must be employed on the classification level and remuneration that the Public Sector Commission under the Public Sector Act 2022 or another entity prescribed under a regulation considers the person would have attained in the ordinary course of progression if the person had continued in employment as a public service officer.
150 Restriction on outside employment
(1)The privacy commissioner must not, without the Minister’s prior approval in each particular case—(a)hold any office of profit other than that of privacy commissioner; or(b)engage in any remunerative employment or undertaking outside the duties of the office.(2)Contravention of subsection (1) is misconduct under the Right to Information Act, section 160(a).
151 Resignation
(1)The privacy commissioner may resign by signed notice given to the Minister.(2)As soon as practicable after the notice is given to the Minister, the Minister must—(a)give the notice to the Governor for information; and(b)give a copy of the notice to—(i)the Speaker of the Assembly; and(ii)the chairperson of the parliamentary committee.(3)Failure to comply with subsection (2) does not affect the effectiveness of the resignation.
152 Acting privacy commissioner
(1)The Governor in Council may appoint a person to act as privacy commissioner—(a)during a vacancy in the office; or(b)during any period, or during all periods, when the privacy commissioner is absent from duty or from Australia or is, for another reason, unable to perform the duties of the office.(2)The acting privacy commissioner is appointed under this Act and not the Public Sector Act 2022.(3)The Acts Interpretation Act 1954, section 25(1)(b)(iv) and (v) does not apply to the office of acting privacy commissioner.
Part 4 Proceedings
153 Third party proceedings
(1)The information commissioner or a member of the staff of the OIC can not be compelled—(a)to produce a privacy document in third party legal proceedings; or(b)to disclose privacy information in third party legal proceedings.(2)In this section—privacy document means a document received, or created, by the commissioner or member in performing functions under this Act.privacy information means information that the commissioner or member obtained in performing functions under this Act.third party legal proceedings means a legal proceeding other than—(a)a legal proceeding started by the commissioner; or(b)a legal proceeding started against the commissioner or member arising out of the performance of functions under this Act.
154 Costs in proceedings
If a proceeding arising out of the performance of the functions of the information commissioner under this Act is started by the State, the reasonable costs of a party to the proceeding must be paid by the State.
155 Information commissioner and privacy commissioner may appear in proceedings
The information commissioner or privacy commissioner is entitled to appear and be heard in a proceeding arising out of the performance of the functions of the commissioner.
156 Intervention by Attorney-General
(1)The Attorney-General may, for the State, intervene in a proceeding before a court arising out of the performance of the functions of the information commissioner under this Act.(2)If the Attorney-General intervenes—(a)the court may make the order as to costs against the State the court considers appropriate; and(b)the Attorney-General becomes a party to the proceeding.
Part 5 Waiving or modifying particular obligations in the public interest
157 Applying for waiver or modification of particular obligations
(1)A relevant entity may apply to the information commissioner for an approval that waives or modifies an obligation of the entity to comply with—
(a)the privacy principle requirements; or(b)for an agency—chapter 3A, part 2 or 3 or section 72 or 73.(2)The commissioner may, by gazette notice, give an approval that waives or modifies an obligation mentioned in subsection (1)—(a)if it is a temporary approval—for the period of the approval’s operation; or(b)otherwise—until the approval is revoked or amended.(3)The Statutory Instruments Act 1992, sections 49 to 51 apply to a gazette notice under subsection (2), including a gazette notice revoking or amending an approval, as if it were subordinate legislation.(4)The commissioner may give an approval under this section for an obligation only if the commissioner is satisfied that the public interest in the relevant entity’s compliance with the obligation is outweighed by the public interest in waiving or modifying the entity’s compliance with the obligation to the extent stated in the approval.(5)While an approval is in force, the relevant entity does not contravene this Act in relation to the obligation the subject of the approval if the entity acts in accordance with the approval.(6)If the commissioner gives an approval under this section—(a)the commissioner must also ensure that a copy of the gazette notice is published on the commissioner’s website on the internet while the approval is in force; and(b)if it is practicable to do so, the agency the subject of the approval must ensure that a copy of the gazette notice is published on the agency’s website on the internet.
Part 6 Compliance notices
158 Compliance notice
(1)The information commissioner may give a relevant entity a notice (a compliance notice) if the commissioner is satisfied on reasonable grounds that the entity—(a)has done an act or engaged in a practice in contravention of a relevant obligation; and(b)the act or practice—(i)is a serious or flagrant contravention of the obligation; or(ii)is of a kind that has been done or engaged in by the agency on at least 5 separate occasions within the last 2 years.(2)A compliance notice may require a relevant entity to take stated action within a stated period for the purpose of ensuring compliance with the obligation.(3)In this section—relevant obligation means an obligation to comply with—(a)the privacy principle requirements; or(b)for an agency—(i)chapter 3A, part 2 or 3; or(ii)a direction given to the agency under section 61(2); or(iii)section 72 or 73.
159 Extension of time for compliance
(1)A relevant entity that is given a compliance notice may ask the information commissioner to extend the time within which it must take the action stated in the compliance notice.(2)The commissioner may amend the compliance notice by extending the period stated in the compliance notice for taking the action stated in the notice.(3)Before the commissioner extends the period—(a)the commissioner must be satisfied that it is not reasonably practicable for the relevant entity to take the action stated in the compliance notice within the time stated in the notice; and(b)the relevant entity must give the commissioner an undertaking to take the stated action within the extended period.
160 Relevant entity must comply with notice
A relevant entity that is given a compliance notice under this part must take all reasonable steps to comply with the notice.Maximum penalty—100 penalty units.
161 Application to Queensland Civil and Administrative Tribunal for review of decision to give compliance notice
(1)A relevant entity given a compliance notice under this part may apply, as provided under the QCAT Act, to QCAT for a review of a decision of the information commissioner to give the entity the compliance notice.(2)QCAT must exercise its review jurisdiction under the QCAT Act.
162 Parties to QCAT proceeding
The relevant entity given a compliance notice under this part and the information commissioner are both parties to—(a)an application to QCAT to review the decision to give the notice; and(b)any review by QCAT of the decision.
163 How QCAT may dispose of review
If QCAT reviews a decision of the information commissioner to give a relevant entity a compliance notice, QCAT may make any of the following orders—(a)confirm the commissioner’s decision to give the compliance notice;(b)confirm the commissioner’s decision to give a compliance notice but substitute a compliance notice that is in different terms from the compliance notice given;(c)revoke the giving of the compliance notice;(d)revoke the giving of the compliance notice and give the commissioner directions about the issuing of a replacement compliance notice.
Chapter 5 Privacy complaints
Note—
A reference in this chapter to an agency includes a reference to a Minister, a department, a local government or a public authority—see section 18.
Part 1 Making privacy complaints
164 Meaning of privacy complaint
(1)A privacy complaint is a complaint by an individual about an act done or practice engaged in by a relevant entity in relation to the individual’s personal information that may be a breach of the relevant entity’s obligation to comply with—(a)the privacy principle requirements; or(b)for an agency—chapter 3A, part 2 or 3.(2)However, a privacy complaint does not include a complaint in relation to the individual’s personal information to the extent the personal information is—(a)in a document to which this Act does not apply; or(b)if the personal information is held by a bound contracted service provider—in a document held by the provider other than for the purpose of performing its obligations under the provider’s service arrangement.
164A Response period for privacy complaints
(1)The response period for a privacy complaint made to a relevant entity is—(a)the period of 45 business days after the day the privacy complaint is received by the relevant entity; or(b)if the relevant entity asks the complainant for a longer period under subsection (2)—the period during which, under subsection (4), the relevant entity may continue to consider the privacy complaint, in addition to the period mentioned in paragraph (a).(2)The relevant entity may, before the end of a response period under subsection (1), ask the complainant for a further specified period to consider the complaint.(3)A request under subsection (2) may be made more than once.(4)If the relevant entity makes a request under subsection (2), the relevant entity may continue to consider the complaint and respond to it until—(a)the complainant refuses the request; or(b)the relevant entity receives a notice that the complainant has made a privacy complaint to the information commission; or(c)the further specified period requested under subsection (2) ends.
165 Privacy complaint may be made or referred to information commissioner
(1)An individual whose personal information is, or at any time has been, held by a relevant entity may make a privacy complaint to the information commissioner.(2)Also, a privacy complaint may be referred to the commissioner by any of the following entities—(a)the ombudsman;(b)the health ombudsman under the Health Ombudsman Act 2013;(c)the human rights commissioner under the Anti-Discrimination Act 1991;(d)a person or other entity having responsibilities, under a law of another State or the Commonwealth that corresponds to this Act, that correspond to the responsibilities of the commissioner under this Act;(e)any other commission or external review body that has received the privacy complaint in performing its functions under a law.(3)As soon as practicable after receiving a privacy complaint made or referred under this section, the commissioner must advise the relevant entity the subject of the complaint.
166 Requirements for privacy complaint to information commissioner
(1)A privacy complaint made or referred to the information commissioner must—(a)be written; and(b)state an address of the complainant to which notices may be forwarded under this Act; and(c)give particulars of the act or practice the subject of the complaint.(2)For a privacy complaint made to the commissioner by an individual, the commissioner must give reasonable help to the complainant to put the complaint into written form.(3)However, an individual may not make a privacy complaint to the commissioner unless—(a)the individual has first made a privacy complaint to the relevant entity under section 166A; and(b)either—(i)the individual does not consider the relevant entity’s response to the complaint to be adequate; or(ii)the response period for the complaint has ended and the individual has not received a response to the complaint.
166A Requirements for privacy complaint to relevant entity
(1)A privacy complaint made to a relevant entity by an individual must—(a)be in writing; and(b)state an address to which the entity may respond to the complaint; and(c)give particulars of the act or practice the subject of the complaint; and(d)be made within 12 months after the complainant becomes aware of the act or practice the subject of the complaint, or a longer period agreed by the relevant entity.(2)The relevant entity may agree to a longer period under subsection (1)(d) if the relevant entity is satisfied the extension is reasonable in the circumstances.(3)The relevant entity must give reasonable help to the individual to put the complaint in writing.
Part 2 Dealing with privacy complaints
167 Preliminary action
The information commissioner may make preliminary inquiries of the complainant and the respondent for a privacy complaint to decide whether the commissioner is authorised to deal with the privacy complaint and whether the commissioner may decline to deal with the complaint.
168 Information commissioner may decline to deal with or to deal further with complaint
(1)The information commissioner may decline to deal with a privacy complaint, or a part of a privacy complaint, made or referred to the commissioner if—(a)the act or practice the subject of the complaint or part does not relate to the personal information of the complainant; or(b)the requirements under section 166(3) for making a complaint have not been fully satisfied; or(c)the commissioner reasonably believes the complaint or part is frivolous, vexatious, misconceived or lacking in substance; or(d)there is a more appropriate course of action available under another Act to deal with the substance of the complaint or part; or(e)although the complainant made the complaint to the respondent as required under section 166(3), in the circumstances, the respondent has not yet had an adequate opportunity to deal with the complaint or part; or(f)12 months have elapsed since the earlier of the following days—(i)the last day of the response period for the complaint;(ii)the day the relevant entity responds to the complaint or part.(2)The commissioner may decline to continue dealing with a privacy complaint, or a part of a privacy complaint, made or referred to the commissioner if—(a)the complainant does not comply with a reasonable request made by the commissioner in dealing with the complaint or part; or(b)the commissioner is satisfied on reasonable grounds that the complainant, without a reasonable excuse, has not cooperated in the commissioner’s dealing with the complaint or part; or(c)the commissioner considers the address the complainant stated in making the privacy complaint is no longer the address at which the complainant can be contacted, and the complainant has not, within a reasonable time, advised the commissioner of a new address to which notices may be sent under this Act.
169 Referral of privacy complaint to other entity
(1)If the subject of a privacy complaint could be the subject of a complaint under the Ombudsman Act 2001, the information commissioner may refer the complaint to the ombudsman.(2)If the subject of a privacy complaint could be the subject of a complaint under the Health Ombudsman Act 2013, the commissioner may refer the complaint to the health ombudsman under that Act.(3)If the subject of a privacy complaint could be the subject of a complaint under a law of another State or the Commonwealth that corresponds to this Act, the commissioner may refer the complaint to the entity under that law having responsibility for dealing with complaints in the nature of privacy complaints.
170 Arrangement with ombudsman
(1)The information commissioner may enter into an arrangement with the ombudsman providing for—(a)the privacy complaints under this chapter that the commissioner should refer to the ombudsman because they—(i)relate to administrative actions; and(ii)would be more appropriately dealt with by the ombudsman under the Ombudsman Act 2001; or(b)the complaints under the Ombudsman Act 2001 that the ombudsman should refer to the commissioner because they—(i)relate to decisions or other actions for which the commissioner has jurisdiction; and(ii)would be more appropriately dealt with by the commissioner under this chapter; or(c)how to deal with an administrative action that is the subject of a complaint, preliminary inquiry or investigation under the Ombudsman Act 2001 and a privacy complaint under this chapter; or(d)the cooperative performance by the commissioner and the ombudsman of their respective functions relating to administrative actions.(2)If an arrangement entered into under subsection (1) provides for referrals as mentioned in subsection (1)(a) or (b), the arrangement must also provide for how the referral is to be made.(3)The commissioner and the ombudsman are empowered to perform their functions in accordance with any relevant arrangement entered into under this section.(4)In this section—administrative action has the meaning given by the Ombudsman Act 2001, section 7.
Part 3 Mediation of privacy complaints
171 Attempting resolution through mediation
(1)The information commissioner must consider whether, in the circumstances as known to the commissioner, resolution of a privacy complaint could be achieved through mediation.(2)If it appears to the commissioner that it is reasonably likely that resolution of the privacy complaint could be achieved through mediation, the commissioner must take all reasonable steps to cause the complaint to be mediated.
172 Certification of mediated agreement
(1)This section applies if, after mediation of a privacy complaint, the complainant and the respondent for the complaint agree on a resolution of the complaint.(2)The complainant or the respondent may ask the information commissioner to prepare a written record of the agreement.(3)A request under subsection (2) must be made within 20 business days after the agreement is reached under subsection (1).(4)If a request is made under subsection (2), the commissioner must take all reasonable steps to—(a)prepare a written record of the agreement; and(b)have the record signed by both the complainant and the respondent; and(c)certify the agreement.
173 Filing of certified agreement with Queensland Civil and Administrative Tribunal
(1)The complainant or respondent to a privacy complaint the subject of a certified agreement under this part may file a copy of the agreement with QCAT.(2)QCAT may make orders necessary to give effect to the certified agreement if, within 5 business days after the agreement is filed with QCAT, neither the complainant nor the respondent advises QCAT that the party wishes to withdraw from the agreement.(3)However, QCAT may make an order under subsection (2) only if it is satisfied that implementation of the order is practicable and that the order is consistent with an order QCAT may make under the QCAT Act.(4)An order under subsection (2) becomes, and may be enforced as, an order of QCAT under the QCAT Act.
173A Confidentiality of mediation
Nothing said or done in the course of a mediation of a privacy complaint is admissible in any criminal, civil or administrative proceeding, unless the complainant and respondent for the complaint agree.
Part 4 Referral of privacy complaints to QCAT
174 Application of pt 4
This part applies if a privacy complaint is made to the information commissioner under this chapter, and—(a)it does not appear to the commissioner reasonably likely that resolution of the complaint could be achieved through mediation; or(b)mediation of the complaint is attempted under this chapter but a certified agreement for the resolution of the complaint is not achieved.
175 Advice to parties
The information commissioner must give written notice to both the complainant and the respondent for the privacy complaint advising—(a)that this part applies and why it applies; and(b)that the complainant may ask the commissioner to refer the privacy complaint to QCAT under section 175A.
175A Complainant’s request for referral to Queensland Civil and Administrative Tribunal
(1)Within 20 business days after the date of the notice given under section 175, the complainant may, by written notice given to the information commissioner, ask the commissioner to refer the privacy complaint to QCAT.(2)The information commissioner may, if asked by the complainant, extend the period mentioned in subsection (1) if the commissioner is satisfied extending the period is reasonable in all the circumstances.(3)If the information commissioner extends the period under subsection (2), the commissioner must give a written notice to the complainant and the respondent for the privacy complaint stating the new period within which the complainant may give notice under subsection (1).
176 Referral to Queensland Civil and Administrative Tribunal
(1)If the complainant gives written notice to the information commissioner under section 175A, the commissioner must refer the privacy complaint to QCAT within 20 business days after receiving the written notice.(2)QCAT must exercise its original jurisdiction under the QCAT Act to hear and decide a privacy complaint referred to it under this section.
177 Parties to QCAT proceeding
(1)The complainant and respondent for a privacy complaint the information commissioner refers to QCAT are both parties to the proceeding before QCAT.(2)The complainant is taken to be the applicant for the proceeding before QCAT.
178 How QCAT may dispose of complaint
After the hearing of a privacy complaint referred to QCAT, QCAT may make 1 or more of the following orders—(a)an order that the breach the subject of the complaint, or part of the complaint, has been substantiated, together with, if considered appropriate, an order in accordance with 1 or more of the following—(i)that the respondent must not repeat or continue the act or practice the subject of the complaint;(ii)that the respondent must engage in a stated reasonable act or practice to compensate for loss or damage suffered by the complainant;(iii)that the respondent must apologise to the complainant for the act or practice the subject of the complaint;(iv)that the respondent must make stated amendments of documents it holds;(v)that the respondent is liable to pay the complainant a stated amount, of not more than $100,000 to compensate the complainant for loss or damage suffered by the complainant because of the act or practice the subject of the complaint, including for any injury to the complainant’s feelings or humiliation suffered by the complainant;(b)an order that the breach the subject of the complaint, or part of the complaint, has been substantiated together with an order that no further action is required to be taken;(c)an order that the breach the subject of the complaint, or part of the complaint, has not been substantiated, together with an order that the complaint or part is dismissed;(d)an order that the complainant be reimbursed for expenses reasonably incurred in connection with making the complaint.
Chapter 6 Protections and offences
Part 1 Protections
179 Access—protection against actions for defamation or breach of confidence
(1)If a person has been given access to a document and the access was required or permitted to be given under this Act—(a)no action for defamation or breach of confidence lies against the State, an agency or an officer of an agency because of the authorising or giving of the access; and
(a)the individual would reasonably expect the agency to use or disclose the information for the secondary purpose and the secondary purpose is—(i)if the information is sensitive information—directly related to the primary purpose; or(ii)if the information is not sensitive information—related to the primary purpose; or(b)the use or disclosure of the information is required or authorised under an Australian law or a court or tribunal order; or(c)a permitted general situation exists in relation to the use or disclosure of the information by the agency; orNote—
Permitted general situations are stated in schedule 4, part 1.(d)the agency is a health agency and a permitted health situation exists in relation to the use or disclosure of the information by the agency; orNote—
Permitted health situations are stated in schedule 4, part 2.(e)the agency reasonably believes the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by a law enforcement agency; or(f)all of the following apply—(i)ASIO has asked the agency to disclose the personal information;(ii)an officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions;(iii)the disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information; orEditor’s note—
QPP 6.2(f) applies in relation to Queensland agencies and does not correspond to an APP.(g)all of the following apply—(i)the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;(ii)the use or disclosure does not involve the publication of all or any of the personal information in a form that identifies any individual;(iii)it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use or disclosure;(iv)if the personal information is disclosed to another entity—the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.Editor’s notes—
1QPP 6.2(g) applies in relation to Queensland agencies and does not correspond to an APP.2The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle about the disclosure of personal information that is biometric information or biometric templates to an enforcement body in certain circumstances (see APP 6.3).
There is no equivalent QPP for APP 6.3.6.4If—(a)the agency is a health agency; and(b)schedule 4, part 2, section 3 applied in relation to the collection of the personal information by the agency;the agency must take reasonable steps to ensure the information is de-identified before the agency discloses it under QPP 6.1 or QPP 6.2.Written note of use or disclosure6.5If an agency uses or discloses personal information in accordance with QPP 6.2(e), the agency must make a written note of the use or disclosure.Editor’s note—
The equivalent APP includes a provision applying to certain private sector entities (see APP 6.6 and APP 6.7).
7 QPP 7—direct marketing
Editor’s note—
The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle prohibiting direct marketing by certain private sector entities (see APP 7).
There is no equivalent QPP for APP 7.Note—
QPP 6 is relevant to the use or disclosure of personal information for the purpose of direct marketing.
8 QPP 8—cross-border disclosure of personal information
Editor’s note—
The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle about requirements for cross-border disclosure of personal information (see APP 8).
There is no equivalent QPP for APP 8.
9 QPP 9—adoption, use or disclosure of government related identifiers
Editor’s note—
The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle regulating the adoption, use or disclosure of government related identifiers by certain private sector entities (see APP 9).
There is no equivalent QPP for APP 9.
Part 4 Integrity of personal information
10 QPP 10—quality of personal information
10.1An agency must take reasonable steps to ensure the personal information the agency collects is accurate, up to date and complete.10.2An agency must take reasonable steps to ensure the personal information the agency uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
11 QPP 11—security of personal information
11.1If an agency holds personal information, the agency must take reasonable steps to protect the information—(a)from misuse, interference or loss; and(b)from unauthorised access, modification or disclosure.11.2If—(a)an agency holds personal information about an individual; and(b)the agency no longer needs the information for a purpose for which the information may be used or disclosed by the agency under the QPPs; and(c)the information is not contained in a public record; and(d)the agency is not required under an Australian law, or a court or tribunal order, to retain the information;the agency must take reasonable steps to destroy the information or to ensure the information is de-identified.
Part 5 Access to, and correction of, personal information
12 QPP 12—access to personal information
Access12.1If an agency holds personal information about an individual, the agency must, on request by the individual, give the individual access to the information.Exception to access12.2If the agency is required or authorised to refuse to give the individual access to the personal information under—(a)the Right to Information Act; or(b)another law in force in Queensland that provides for access by people to documents;then, despite QPP 12.1, the agency is not required to give access to the extent the agency is required or authorised to refuse to give access.Editor’s notes—
1The equivalent APP includes a provision applying to certain private sector entities (see APP 12.3).2The Privacy Act 1988 (Cwlth), schedule 1 includes privacy principles about the procedures for requesting access to personal information, including requirements for dealing with requests for access, other means of access, access charges and refusals to give access (see APPs 12.4 to 12.10).
There are no equivalent QPPs for APPs 12.3 to 12.10.
13 QPP 13—correction of personal information
Correction13.1If—(a)an agency holds personal information about an individual; and(b)either—(i)the agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or(ii)the individual requests the agency to correct the information;the agency must take reasonable steps to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.Editor’s note—
The Privacy Act 1988 (Cwlth), schedule 1 includes privacy principles about requirements to notify other APP entities of corrections to personal information, and refusals to correct personal information (see APPs 13.2 and 13.3).
There are no equivalent QPPs for APPs 13.2 and 13.3.Request to associate a statement13.4If—(a)the agency refuses to correct the personal information as requested by the individual; and(b)the individual requests the agency to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;the agency must take reasonable steps to associate the statement in a way that will make the statement apparent to users of the information.Editor’s note—
The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle about dealing with requests to correct personal information (see APP 13.5).
There is no equivalent QPP for APP 13.5.13.6An agency need not comply with QPP 13.1 in relation to a request made to the agency to correct personal information if the agency is required or authorised to refuse to correct or amend the information under the Right to Information Act or another Act regulating the amendment of personal information.Editor’s note—
QPP 13.6 applies in relation to Queensland agencies and does not correspond to an APP.
Schedule 4 Permitted general situations and permitted health situations
schedule 5, definitions permitted general situation and permitted health situation
Part 1 Permitted general situations
1 Collection, use or disclosure
A permitted general situation exists in relation to the collection, use or disclosure by an agency of personal information about an individual if—(a)both of the following apply—(i)it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure;(ii)the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety; or(b)both of the following apply—(i)the agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the agency’s functions or activities has been, is being or may be engaged in;(ii)the agency reasonably believes that the collection, use or disclosure is necessary in order for the agency to take appropriate action in relation to the matter; or(c)both of the following apply—(i)the agency reasonably believes that the collection, use or disclosure is reasonably necessary to assist an entity to locate a person who has been reported as missing;(ii)the collection, use or disclosure complies with a guideline in effect under chapter 3, part 2; or(d)the collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim; or(e)the collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
Part 2 Permitted health situations
2 Collection—provision of a health service
(1)A permitted health situation exists in relation to the collection by a health agency of health information about an individual if—(a)the information is necessary to provide a health service to the individual; and(b)either—(i)the collection is required or authorised under an Australian law; or(ii)the individual would reasonably expect the health agency to collect the information for that purpose.(2)Also, a permitted health situation exists in relation to the collection by a health agency of health information about an individual if—(a)the information is a family medical history, social medical history or other relevant information about the individual or another individual; and(b)it is necessary to collect the information about the individual for the purpose of providing the individual or another individual with a health service; and(c)the information about the individual is collected by the health agency from—(i)the person who is receiving or about to receive the health service; or(ii)a responsible person for the individual.
3 Collection—research etc.
(1)A permitted health situation exists in relation to the collection by a health agency of health information about an individual if—(a)the collection is necessary for any of the following purposes—(i)research relevant to public health or public safety;(ii)the compilation or analysis of statistics relevant to public health or public safety;(iii)the management, funding or monitoring of a health service; and(b)that purpose can not be served by the collection of information that does not identify the individual or from which the individual’s identity can not reasonably be ascertained; and(c)it is impracticable for the health agency to seek the individual’s consent to the collection; and(d)the information is collected—(i)as required or authorised under an Australian law; or(ii)by a designated person with the approval of the relevant chief executive; or(iii)in accordance with guidelines approved by the chief executive of the health department for this subparagraph.(2)In this section—designated person see the Hospital and Health Boards Act 2011, section 139A.relevant chief executive, of a health agency, means—(a)if the health agency is a Hospital and Health Service—the health service chief executive or the chief executive of the health department; or(b)otherwise—the chief executive of the health department.
4 Use or disclosure—research etc.
A permitted health situation exists in relation to the use or disclosure by a health agency of health information about an individual if—(a)the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and(b)it is impracticable for the health agency to obtain the individual’s consent before the use or disclosure; and(c)the use or disclosure is conducted in accordance with guidelines approved by the chief executive of the health department for this paragraph; and(d)for disclosure—the health agency reasonably believes the entity receiving the health information will not disclose the health information or personal information derived from the health information.
5 Disclosure—responsible person for an individual
A permitted health situation exists in relation to the disclosure by a health agency of health information about an individual if—(a)the health agency provides a health service to the individual; and(b)the recipient of the information is a responsible person for the individual; and(c)the individual is—(i)physically or legally incapable of giving consent to the disclosure; or(ii)physically can not communicate consent to the disclosure; and(d)a health professional providing the health service for the organisation is satisfied—(i)the disclosure is necessary to provide appropriate care or treatment of the individual; or(ii)the disclosure is made for compassionate reasons; and(e)the disclosure is not contrary to any wish—(i)expressed by the individual before the individual became unable to give or communicate consent; and(ii)of which the health professional is aware, or of which the health professional could reasonably be expected to be aware; and(f)the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (d).
6 [Repealed]
7 [Repealed]
8 [Repealed]
9 [Repealed]
Schedule 5 Dictionary
section 11
access application ...
access charge ...
accessible agency website means a website that is—
(a)accessible by members of the public; and
(b)operated by an agency.
access law means a law of the State that provides for access by persons to documents.
adult child ...
adult sibling ...
affected individual, in relation to a data breach of an agency, see section 47(1)(a)(ii) and (b)(ii).
agency see section 18.
agent ...
amendment application ...
APP means an Australian Privacy Principle set out in the Privacy Act 1988 (Cwlth), schedule 1.
appeal tribunal ...
applicant ...
appropriately qualified ...
approved form means a form approved under section 200.
ASIO means the Australian Security Intelligence Organisation established under the Australian Security Intelligence Organisation Act 1979 (Cwlth).
Assembly means the Legislative Assembly.
Australian law, for schedules 3 and 4, means a law of the Commonwealth or a State, and includes the common law.
authorised officer means a person who holds office under chapter 3A, part 5 as an authorised officer.
backup system ...
bound contracted service provider means the contracted service provider under a service arrangement if—
(a)under section 35(1) and (2), the contracting agency is required to take all reasonable steps to ensure the contracted service provider is required to comply with the privacy principle requirements as if it were the contracting agency; and
(b)under the service arrangement, the contracted service provider is required to comply with the privacy principle requirements as if it were the contracting agency.
chapter 3 agency ...
chapter 3 document ...
collect, for schedules 3 and 4, in relation to personal information, means collect the information for inclusion in a document or generally available publication.
community safety department means the department in which the Corrective Services Act 2006 is administered.
complainant, for a privacy complaint, means the person who makes the complaint.
compliance notice see section 158.
consent, for schedules 3 and 4, means express consent or implied consent.
considered decision ...
contracted service provider see section 34.
contracting agency see section 34.
contrary to public interest document ...
contrary to public interest information ...
control ...
coroner see the Coroners Act 2003.
court includes a justice and a coroner.
data breach, of an agency, means either of the following in relation to information held by the agency—
(a)unauthorised access to, or unauthorised disclosure of, the information;
(b)the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.
decision-maker ...
deemed decision ...
de-identify, for schedule 3, in relation to information, means to amend the information so it is no longer about an identified individual, or an individual who is reasonably identifiable from the information.
department ...
designated person ...
director-general, of ASIO, means the person appointed as the Director-General of Security under the Australian Security Intelligence Organisation Act 1979 (Cwlth).
disclose, personal information, see section 23.
document see section 15.
document to which the privacy principle requirements do not apply see section 16.
document to which the privacy principles do not apply ...
eligible data breach, of an agency, see section 47.
eligible family member ...
enforcement-related activity, for schedule 3, means—
(a)the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions; or
(b)the enforcement of laws relating to the confiscation of the proceeds of crime; or
(c)the protection of the public revenue; or
(d)the prevention, detection, investigation or remedying of seriously improper conduct; or
(e)the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
entity to which the privacy principles do not apply ...
excluded entity see section 18(4).
exempt document ...
exempt information ...
external review ...
external review application ...
function includes a power.
generally available publication means a magazine, book, article, newspaper or other publication that is, or will be, generally available to members of the public whether or not it is—
(a)published in print, electronically or in any other form; or
(b)available on payment of a fee or charge.
health agency means the health department or a Hospital and Health Service.
healthcare professional ...
health department means the department in which the Hospital and Health Boards Act 2011 is administered.
health information, about an individual means—
(a)personal information about the individual that includes any of the following—(i)the individual’s health at any time;(ii)a disability of the individual at any time;(iii)the individual’s expressed wishes about the future provision of health services to the individual;(iv)a health service that has been provided, or that is to be provided, to the individual; or
(b)personal information about the individual collected for the purpose of providing, or in providing, a health service; or
(c)personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.
health professional see the Hospital and Health Boards Act 2011, schedule 2.
health service means—
(a)an activity performed in relation to an individual that is intended or claimed, expressly or otherwise, by the individual or by a person performing the activity—
(i)to assess, record, preserve or improve the individual’s health; or(ii)to diagnose an illness or disability of the individual; or(iii)to treat an illness or disability of the individual or a suspected illness or disability; or
(b)the dispensing on prescription of a drug or medicinal preparation by a pharmacist.
health service chief executive see the Hospital and Health Boards Act 2011, schedule 2.
held, in relation to personal information, see section 13.
holds, in relation to personal information, see section 13.
Hospital and Health Service means a Hospital and Health Service established under the Hospital and Health Boards Act 2011, section 17.
identity card, for a provision about authorised officers, means an identity card issued under section 64.
information commissioner means the information commissioner under the Right to Information Act.
internal review ...
internal review application ...
IPP ...
judicial member ...
law enforcement agency means—
(a)for the purposes of QPP 6—an enforcement body within the meaning of the Privacy Act 1988 (Cwlth) or any entity mentioned in paragraph (b); or
(b)otherwise—(i)the Queensland Police Service under the Police Service Administration Act 1990; or(ii)the Crime and Corruption Commission; or(iii)the community safety department; or(iv)any other agency, to the extent it has responsibility for—(A)the performance of functions or activities directed to the prevention, detection, investigation, prosecution or punishment of offences and other breaches of laws for which penalties or sanctions may be imposed; or(B)the management of property seized or restrained under a law relating to the confiscation of the proceeds of crime; or(C)the enforcement of a law, or of an order made under a law, relating to the confiscation of the proceeds of crime; or(D)the execution or implementation of an order or decision made by a court or tribunal; or(E)the protection of public revenue.
Minister includes an Assistant Minister.
narrow ...
NPP ...
officer, in relation to an agency, includes—
(a)the agency’s principal officer; and
(b)a member of the agency; and
(c)a member of the agency’s staff; and
(d)a person employed by or for the agency.
OIC means the office of the information commissioner under the Right to Information Act.
parliamentary committee means—
(a)if the Legislative Assembly resolves that a particular committee of the Assembly is to be the parliamentary committee under this Act—that committee; or
(b)if paragraph (a) does not apply and the standing rules and orders state that the portfolio area of a portfolio committee includes the privacy commissioner—that committee; or
(c)otherwise—the portfolio committee whose portfolio area includes the department, or the part of a department, in which this Act is administered.
participant ...
permitted general situation means a permitted general situation described in schedule 4, part 1.
permitted health situation means a permitted health situation described in schedule 4, part 2.
personal information see section 12.
portfolio area see the Parliament of Queensland Act 2001, schedule.
portfolio committee see the Parliament of Queensland Act 2001, schedule.
prescribed information ...
prescribed written notice ...
principal officer means—
(a)in relation to a department—the chief executive of the department; or
(b)in relation to a local government—the chief executive officer (however described) of the government; or
(c)in relation to a government owned corporation—the chief executive officer (however described) of the government owned corporation; or
(d)in relation to a subsidiary of a government owned corporation—the principal officer (however described) of the subsidiary; or
(e)in relation to a public authority for which a regulation declares an office to be the principal office—the holder of the office; or
(f)in relation to another public authority—(i)if it is an incorporated body that has no members—the person who manages the body’s affairs; or(ii)if it is a body (whether or not incorporated) that is constituted by 1 person—the person; or(iii)if it is a body (whether or not incorporated) that is constituted by 2 or more persons—the person who is entitled to preside at a meeting of the body at which the person is present.
privacy commissioner means the Privacy Commissioner appointed under this Act.
privacy complaint see section 164.
privacy principle requirements means—
(a)for an agency—the requirements under chapters 2 and 3 applying to the agency; or
(b)for a bound contracted service provider—the requirements under chapter 2, parts 1 and 2 and section 41 applying to the service provider under section 36(1).
privacy principles ...
processing period ...
publication includes a book, magazine or newspaper.
public authority has the meaning given by section 21.
public library includes—
(a)the State library; and
(b)a local government library; and
(c)a library in the State that forms part of a public tertiary educational institution.
public record means a public record under the Public Records Act 2023.
QPP see section 26.
QPP code see section 40(1).
QPP privacy policy, for schedule 3, see QPP 1.3.
relevant chief executive ...
relevant entity means an agency or bound contracted service provider.
relevant healthcare information ...
respondent, for a privacy complaint, see section 164.
response period, for a privacy complaint to a relevant entity, for chapter 5, part 1, see section 164A(1).
responsible person, for an individual, for schedule 4, means—
(a)a parent of the individual; or
(b)a child or sibling of the individual if a health professional believes the child or sibling has capacity; or
(c)a spouse of the individual; or
(d)a relative of the individual if the relative is a member of the individual’s household; or
(e)a guardian of the individual; or
(f)a person exercising a power under an enduring power of attorney made by the individual that is exercisable in relation to decisions about the individual’s health; or
(g)a person who has sufficient personal interest in the health and welfare of the individual; or
(h)a person nominated by the individual to be contacted in case of emergency.
reviewable decision ...
review under this Act ...
Right to Information Act means the Right to Information Act 2009.
RTI commissioner means the RTI commissioner under the Right to Information Act.
sensitive information, for an individual, means the following—
(a)information or an opinion, that is also personal information, about the individual’s—(i)racial or ethnic origin; or(ii)political opinions; or(iii)membership of a political association; or(iv)religious beliefs or affiliations; or(v)philosophical beliefs; or(vi)membership of a professional or trade association; or(vii)membership of a trade union; or(viii) sexual orientation or practices; or(ix)criminal record;
(b)health information about the individual;
(c)genetic information about the individual that is not otherwise health information;
(d)biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e)biometric templates.
serious harm, to an individual in relation to the unauthorised access or unauthorised disclosure of the individual’s personal information, includes, for example—
(a)serious physical, psychological, emotional or financial harm to the individual because of the access or disclosure; or
(b)serious harm to the individual’s reputation because of the access or disclosure.
service arrangement see section 34.
solicit, for schedule 3, by an entity in relation to personal information, means ask another entity to provide the personal information, or to provide information of a kind in which the personal information is included.
standing rules and orders see the Parliament of Queensland Act 2001, schedule.
subsidiary see the Government Owned Corporations Act 1993.
transfer period ...
use, personal information, see section 23.
Actions
Download as PDF
Download as Word Document
Citations
Information Privacy Act 2009 (Qld)
Cases Citing This Decision
0
Cases Cited
0
Statutory Material Cited
0