Privacy rights

The Queensland Information Privacy Act 2009 (the IP Act) provides a right for individuals to have your personal information collected and handled in accordance with certain rules or privacy principles. The Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act) was passed by Parliament on 29 November 2023, amending the IP Act, Right to Information Act 2009 and related provisions in other legislation.

Personal information is any information that can reasonably identify you, for example your name, address, phone number, email address, date of birth or photograph.

The privacy principles only apply to Queensland Government agencies—the IP Act doesn’t cover actions by individual citizens, private sector organisations or the community sector. Organisations with an annual turnover of more than $3 million and private sector health service providers are subject to the Australian Government's privacy legislation.

The privacy principles include:

• the Information privacy principles, which apply to all agencies except for health agencies
• the National privacy principles, which apply only to health agencies
• rules about transferring information outside Australia
• rules about entering into arrangements with contractors where the arrangement will involve an exchange of personal information.

There are exceptions to the privacy principles—outlined in the IP Act—to ensure we can continue to carry out our legitimate business dealings. The privacy principles don’t apply to:

• certain entities (e.g. commissions of inquiry)
• particular functions of entities (e.g. a court’s judicial functions)
• certain documents (e.g. Cabinet documents)
• giving information to a minister to inform them about matters relevant to their portfolio responsibilities.

Only some of the privacy principles apply to:

• information related to or connected with personal information you have published or given for the purpose of publication
• specific law enforcement activities of a law enforcement agency, in certain circumstances.

How we manage your personal information

Collecting your information

We must only collect information that is directly related to, and necessary for, our functions and activities. We must do so in a way that:

• is lawful and fair, and
• does not unreasonably intrude into your personal affairs.

We must also take reasonable steps to make you aware (before or at the time of collecting):

• why we are collecting it, and
• who we will give it to, if it is our usual practice to give it to someone outside the agency.

Storing your information

When a government agency stores information, we must protect it from misuse, including unauthorised:

• access
• use
• modification
• disclosure.

Using and disclosing your information

When using or disclosing your personal information, we must first take reasonable steps to check it is correct and up to date.

We can’t:

• use more of it than we need to
• use it for another purpose except in a permitted circumstance
• disclose it outside the agency except in a permitted circumstance.

These circumstances include if:

• you have given your express (or implied) permission
• it is reasonably necessary to lessen or prevent a serious threat to life, health, safety or welfare
• it is authorised or required under a law
• it is reasonably necessary for certain activities by or for a law enforcement agency.

Obligations for Health agencies

The privacy principles for health agencies cover the same actions of collection, storage, use and disclosure, however they contain different obligations. For example, health agencies may only collect sensitive information—for example, health information—in specific circumstances. A health agency may also give your personal information to someone outside their agency without relying on a permitted exception if the disclosure relates to the same reason the information was obtained in the first place.

How to access or amend your personal information

We must make sure you can easily find out what information we hold about you and how we use it. If you ask us, we must give you access to your personal information and allow you to amend it, unless it is contrary to the public interest to do so.

How to make a privacy complaint

If you believe the Queensland Government has handled your personal information in a way that’s inconsistent with the privacy principles, you have the right to make a privacy complaint.

Step 1—Contact the relevant agency

Before making a formal privacy complaint, try talking with the relevant business area in the Queensland Government agency―this is often the quickest and easiest way to address your concerns.

Step 2—Make a complaint to the relevant agency

If you are not satisfied, you can make a formal written privacy complaint to the agency explaining the act or practice you are concerned about. Keep a copy of the complaint for your records.

You can find a list of privacy contacts for each agency on the Right to Information and Information Privacy website.

If the agency resolves your complaint, the process ends here.

Step 3—Make a complaint to the Office of the Information Commissioner

The Office of the Information Commissioner (OIC) is an independent body that promotes privacy rights and obligations under the IP Act. If the relevant agency didn’t respond to you, or you’re not satisfied with their response, after 45 business days you can make your complaint to the OIC.

Check if the OIC can handle your complaint

Use the checklist to find out if the OIC can handle your complaint—if your complaint is eligible, you must make your complaint in writing.

What to include in your written complaint

Your written complaint to the OIC must include:

• details of the act or practice you are complaining about
• the date you first complained to the agency
• copies of any relevant documents
• what resolution you are seeking.

Submit your complaint

You can submit your complaint to the OIC:

• online: complete the privacy complaint form
• by email: administration@oic.qld.gov.au
• by post:
  Attention: Privacy team
  Office of the Information Commissioner
  PO Box 10143
  Adelaide Street
  BRISBANE  QLD  4000

Find out more about the OIC complaints process or contact the OIC if you have questions.

You should receive notice from the OIC within 5 business days that your privacy complaint has been received. The OIC will then assess whether the subject matter of your complaint shows an ‘arguable case’ that a privacy breach has occurred, and will then provide you with a written notice that sets out the reason for their decision.

Find out what to expect when you lodge a privacy complaint.

Your complaint is accepted or rejected

If the OIC accepts your complaint, they will work with you and the respondent agency to agree on options that will resolve the complaint (mediation). If it appears to the OIC that mediation is not likely to resolve your complaint, you can ask for your complaint to be referred to the Queensland Civil and Administrative Tribunal (QCAT). If a privacy complaint is referred to QCAT, you and the respondent agency will be the parties to the hearing before QCAT.

If the OIC doesn’t accept your complaint, there are no more options available for you to continue your complaint under the Act.