Your privacy rights in Queensland

QPP 1 — Open and transparent management of personal information

• Requires agencies to manage personal information in an open and transparent way.
• Requires a clear, up-to-date and accessible QPP privacy policy, and practices and procedures to ensure QPP compliance.

QPP 2 — Anonymity and pseudonymity

Requires agencies to allow individuals the option of not identifying themselves (i.e. to deal with the agency anonymously or pseudonymously) unless it is required or authorised under law or impracticable.

QPP 3 — Collection of solicited personal information

Provides that agencies:

• can only collect personal information that is reasonably necessary for, or directly related to, one of their functions or activities
• must collect it lawfully and fairly, and
• must collect it from the individual unless an exemption applies (including consent, lawful authority/requirement and law enforcement), or it is unreasonable or impracticable to do so.

Higher standards apply to the collection of sensitive information.

Personal information is only collected if the agency solicits it, that is, they ask someone for it or otherwise takes active steps to acquire it. Unsolicited personal information sent to an agency is not collected and must be assessed under QPP 4.

QPP 4 — Dealing with unsolicited personal information

Requires agencies to assess unsolicited personal information to determine whether they could have collected it under QPP 3 and/or whether it is a public record. If not, agencies may be required to destroy or de-identify unsolicited personal information, subject to public record laws. Otherwise, QPPs   5 to 13 apply.

QPP 5 — Notification of the collection of personal information

Requires agencies that collect personal information to take reasonable steps to make sure individuals are aware of the matters listed in QPP 5 including agency contact details, the fact and circumstances of the collection if collected from someone other than the individual and the consequences if the   information is not collected.

This applies when personal information is collected from an individual or from a third party.

Agencies do not need to provide a formal QPP 5 notice. The QPP 5 matters can be communicated in other ways, for example, informally or verbally.

QPP 6 — Use or disclosure of personal information

Agencies can only use or disclose personal information for the reason it was collected, unless QPP 6 allows it to be used or disclosed for a secondary purpose. These include:

• instances where the individual has consented to the use of disclosure of the information
• the individual would reasonably expect the agency to use or disclose the information for the secondary purpose (subject to limitations)
• where it is required or authorised by law or reasonably necessary for law enforcement activities
• permitted general situations such as lessening or preventing a serious threat or locating a missing person (set out in schedule 4, part 1 of the IP Act), and permitted health situations (set out in schedule 4, part 2 of the IP Act).

[Note: There is no QPP 7, 8 or 9]

QPP 10 — Quality of personal information

Requires agencies to take reasonable steps to ensure the personal information:

• they collect, use, or disclose is accurate, up to date, complete, and
• for use or disclosure, is relevant to the purpose of the use or disclosure.
• Requires agencies to take reasonable steps to protect the personal information it holds from misuse, interference or loss, and unauthorised access, modification or disclosure.
• Requires agencies to take reasonable steps to destroy or deidentify personal information that is no longer needed for any purpose and is not a public record or otherwise required to be retained under law or court or tribunal order.

QPP 11 — Security of personal information

• Requires agencies to take reasonable steps to protect the personal information it holds from misuse, interference or loss, and unauthorised access, modification or disclosure.
• Requires agencies to take reasonable steps to destroy or deidentify personal information that is no longer needed for any purpose and is not a public record or otherwise required to be retained under law or court or tribunal order.

QPP 12, QPP 13 — Access to/correction of personal information

Requires agencies to give access to and correct personal information, subject to limitations.