7.7 Information Privacy
Queensland's first privacy legislation commenced on 1 July 2009. The Information Privacy Act 2009 (the IP Act) regulates the collection, storage, use and disclosure of personal information by Queensland Government agencies and provides a right for individuals to access and amend personal information about them that the government holds.
The IP Act replaces Information Standards 42 and 42A and continues the requirement for agencies to comply with privacy principles. The IP Act also allows individuals to apply to agencies to access and amend personal information about themselves and gives them rights to internal and external review of access and amendment decisions.
Like the RTI Act, the IP Act applies to agencies which is defined as including public authorities. The term “public authority” has the same meaning as in the RTI Act, meaning that most Government Boards are captured. The IP Act states that:
“a board, council, subcommittee or other body established by government to help, or to perform functions connected with, an agency is not a separate agency, but is taken to be comprised within the agency”.1
Personal information
The IP Act defines personal information as:
“information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.2
Access and amendment
Chapter 3 of the IP Act gives members of the public a right to access and amend personal information about them in documents held by agencies. Access and amendment of personal information was previously dealt with under the now repealed FOI Act. However, a person may now elect for their RTI application to be dealt with as an application under the IP Act if the application is for a document containing their personal information.3
The IP Act and RTI Act are designed to work together, and the procedures for access and amendment of personal information are consistent with the procedures in the RTI Act.4 However, there are no application fees or processing charges for applications under the IP Act.
Privacy principles
Under the IP Act, agencies must comply with the Information Privacy Principles (IPPs), except for Queensland Health, which is required to comply with the National Privacy Principles (NPPs). The IPPs are set out in Schedule 3 of the Act and the NPPs are set out in Schedule 4. The following is an overview of the IPPs.
Collection of Personal Information (IPPs 1-3)
Agencies can only collect personal information directly related to their activities or functions and must do so in a way that is not unfair or unlawful. The collection of this information should not unreasonably intrude upon the personal affairs of the individual concerned.
In most cases when collecting personal information, agencies must advise an individual why the information is being collected and to whom the information is normally disclosed.
Reasonable steps are to be taken to ensure that personal information collected is relevant for the purpose for which it is collected, up to date and complete.
Storage and Security and Providing Information (IPPs 4-5)
Agencies in possession of personal information are to ensure that there are reasonable safeguards to prevent loss and unauthorised access, use, modification or disclosure of the information.
Agencies must also take all reasonable steps to ensure that a person can find out whether the agency has documents containing personal information, the type of information, the main purposes for which the information is used and how a person can obtain access to those documents.
Access and Amendment (IPPs 6-7)
Individuals are entitled to access and amend documents containing their personal information. Chapter 3 of the IP Act gives individuals a formal right to apply to access and amend their personal information. The agency must take all reasonable steps, including making appropriative amendments to ensure that personal information is accurate, relevant, complete, up to date and not misleading.
However, agencies have a general obligation under the IPPs to give effect to individuals' requests to access or amend their personal information administratively wherever possible without the need for formal application under the IP Act.
Accuracy (IPP 8)
Agencies must take reasonable steps to ensure that personal information is accurate, up-to-date and complete, before using it.
Use and Disclosure (IPPs 9-11)
In general, agencies must use personal information only for the purpose for which it was collected and disclose personal information only if the individual concerned is aware of, or has consented to, that use or disclosure if it is for another purpose. However, there are certain other circumstances in which agencies may use or disclose personal information without consent, including if it is necessary to lessen or prevent a serious threat to life, health, safety or welfare, necessary for certain law enforcement purposes or if authorised or required under a law.
Contracted service providers
The IP Act provides that agencies must take all reasonable steps to ensure service providers are contractually bound to comply with the privacy principles.5 This applies to new service arrangements entered into after the IP Act's commencement, where the services are for performing one or more of the contracting agency's functions and involve the transfer of personal information to the contracting agency.
The IP Act does not apply to contracts or other arrangements between agencies and service providers that were entered into before 1 July 2009. To maintain any existing obligations of a service provider in relation to the repealed Information Standards 42 and 42A, Section 210 of the IP Act provides that the information standards continue to apply for those contracts.
Learn more about Information Privacy.