In effect from: 1 July 2025

What are the Queensland Privacy Principles?

The Queensland Privacy Principles (QPPs) are the rules agencies must follow when handling personal information, unless an exception applies, for example:

  • section 28 of the IP allows agencies not to comply with QPP 6 or QPP 10.2 in relation to personal information related to or connected with information published by the individual or provided by the individual for publication
  • section 29 of the IP Act allows specified law enforcement agencies not to comply with QPP 3.6, 5, 6 or 10.1 if satisfied on reasonable grounds that noncompliance is necessary for the specified enforcement activity;
  • schedule 1 of the IP Act lists documents to which the privacy principle requirements do not apply.

QPP 1 - transparency and privacy policies

The object of QPP 1 is to ensure agencies manage personal information in an open and transparent way. Agencies must:

  • take reasonable steps to implement practices, procedures and systems that will ensure it complies with the QPPs and is able to deal with related inquiries and complaints
  • have a clearly expressed and up-to-date QPP privacy policy; and
  • take reasonable steps to make its QPP privacy policy available free of charge and in an appropriate form (e.g., on a website).

Implementing practices, procedures and systems to ensure QPP compliance

QPP 1 requires an agency to take reasonable steps to implement practices, procedures and systems relating to the agency’s functions and activities that will:

  • ensure the agency complies with the QPPs; and
  • enable the agency to deal with inquiries or complaints from individuals about the agency’s compliance with the QPPs.

In addition to being a general statement of an agency’s obligation to comply with the QPPs, QPP 1 requires agencies to take ongoing, proactive steps to establish and maintain internal practices, procedures and systems that ensure compliance with the QPPs.

Reasonable steps

The requirement that agencies implement practices, procedures and systems is qualified by a ‘reasonable steps’ test. What are reasonable steps will depend upon the circumstances, including:

  • The nature of the personal information. More rigorous steps may be required as the amount and sensitivity of personal information increases.
  • The possible adverse consequences for an individual if their personal information is not handled as required by the QPPs. More rigorous steps may be required as the impact of not handling the personal information increases.
  • The practicability, including time and cost involved, of implementing them. A ‘reasonable steps’ test recognises that privacy protection must be viewed in the context of the practical options available to an agency. However, an agency is not excused from implementing specific practices, procedures, or systems only because they would be inconvenient, time- consuming or impose some cost. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.
Type of practices, procedures and systems

The specific practices, procedures, and systems an agency introduces to comply with the QPPs will vary from agency to agency, however at a minimum, agencies should implement:

  • procedures for identifying and managing privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction or de-identification.
  • security systems for protecting personal information from misuse, interference, and loss and from unauthorised access, modification, or disclosure in accordance with QPP 11.
  • a commitment to conducting a Privacy Impact Assessment (PIA) for new projects in which personal information will be handled, or when a change is proposed to information handling practices. Whether a PIA is appropriate will depend on a project's size, complexity and scope, and the extent to which personal information will be collected, used or disclosed.
  • procedures for identifying and responding to privacy breaches, including meeting any notification obligations.
  • clear privacy complaint procedures that explain how to make a privacy complaint and how privacy complaints or inquiries will be handled.
  • procedures that give individuals the option of being anonymous or not identifying themselves, or using a pseudonym, when dealing with the agency where doing so is practicable or permitted in accordance with QPP 2.
  • governance mechanisms to ensure compliance with the QPPs, e.g., designated privacy officers and regular reporting to the agency’s executive officers.
  • regular staff training and information bulletins on the QPPs and its QPP compliance practices, procedures, and systems.
  • appropriate supervision of staff who regularly handle personal information, and reinforcement of the agency’s QPP compliance practices, procedures and systems
  • mechanisms to ensure that agents and contractors in the service of, or acting on behalf of, the agency comply with the QPPs. The IP Act's mandatory data breach notification rules do not apply to contractors; however, agencies should consider including data breach notification requirements in the service arrangement, e.g., that the agency and/or affected individual must be notified. 
  • a program of proactive review and audit of the adequacy and currency of the QPP privacy policy and of the practices, procedures and systems implemented under QPP 1.

QPP Privacy Policies

Under QPP 1, agencies must have a clearly expressed and up-to-date QPP privacy policy that explains how it manages personal information, tailored to the specific information handling practices of the agency.

If an agency has multiple responsibilities, involving different kinds of personal information being handled by separate parts of the agency or in unique ways, the most suitable approach may be a set of privacy policies (accessible from a single location on the website) to cover the different privacy practices.

A QPP privacy policy should explain how the agency manages the personal information it collects, and the information flows associated with that personal information. This reflects the central object of QPP 1, which is to ensure that agencies manage personal information in an open and transparent manner. However, the policy is not expected to detail all the practices, procedures and systems adopted to ensure QPP compliance.

The policy should be directed to the different audiences who may consult it. Primarily this will be individuals whose personal information is, or is likely to be, collected or held by the agency. If personal information is relevant to particular classes of individuals, or if information about specific community members is handled differently, this should be explained and signposted by headings. For example, if an agency adopts different practices for handling the personal information of children or individuals with a disability, this should be made clear in the policy.

At a minimum, a QPP policy should be:

  • accessible
  • easy to understand, avoiding or defining agency or sector specific terms, jargon, or legalistic language
  • easy to find, use, and navigate; and
  • only include information that is relevant to the agency’s management of personal information.

There is no required style or format for a QPP privacy policy, but because it will generally be made available on the agency’s website, it should be written in a way suitable for web publication.

Specific information to include in a QPP Privacy Policy

QPP 1.4 specifies the minimum information a QPP privacy policy must include:

  • the kinds of personal information the agency collects and holds, including whether it collects and holds sensitive information
  • how personal information is collected and held, including how the agency stores and secures personal information
  • the purposes for which personal information is collected, held, used and disclosed
  • how an individual can access their personal information and seek its amendment – this could include whether administrative access is available for accessing personal information and a link to the agency’s RTI page
  • how an individual can complain if the agency breaches the QPPs or a QPP code and how the complaint will be handled – this could refer and link to a separate privacy complaint handling procedure
  • if the agency is likely to disclose personal information to overseas recipients, and, if practicable, the countries in which such recipients are likely to be located.
Data breach policies

Under section 73 of the IP Act, agencies must publish a data breach policy. Agencies should cross-reference the QPP privacy policy and the data breach policy to improve transparency.

Made appropriately available at no cost

Agencies must take reasonable steps to make their QPP privacy policies available free of charge in an appropriate form. However, there will rarely, if ever, be no reasonable steps an agency can take to meet these obligations.

The agency’s QPP Policy should be published on the agency’s website, preferably linked from the website’s footer, and locatable using the website’s search function. The policy should meet website accessibility requirements, e.g., be compatible with screen readers.

QPP privacy policies written for online publication may be more effective and easier to understand if they use a layered approach. This involves providing a summary of key information with direct links to the policy’s detailed information.

If the privacy policy is spread across multiple webpages, a PDF or link to a page containing the full policy should be included, to assist with printing and downloading.

It is important that an agency’s QPP privacy policy is also available offline for no charge, e.g., a hard copy can be requested to be sent by post or made available for collection from a public facing office of the agency.

Regular review

Agencies should regularly review and update their QPP privacy policy to ensure that it reflects current information handling practices. This review could, at a minimum, be undertaken as part of an agency’s annual planning processes or whenever the structure, organisation, or responsibilities of the agency change.

QPP 2 - anonymity and pseudonymity

QPP 2 provides that individuals must have the option of dealing with an agency anonymously or by pseudonym. However, an agency is not required to give individuals this option:

  • if the agency is required or authorised under an Australian law or court or tribunal order to deal with identified individuals, who have identified themselves;
  • where it is impracticable to deal with individuals who have not identified themselves or use a pseudonym.

Agencies should ensure that, where appropriate, individuals are made aware that they can deal anonymously or pseudonymously with the agency.

Anonymity vs pseudonymity

Anonymity

Anonymity means that the individual dealing with an agency cannot be reasonably identified, and the agency does not ask them for personal information or information that might identify them. The agency should not be able to identify the individual at the time of the dealing or subsequently.

Anonymous dealings include an unidentified individual telephoning an agency to make general enquiries or seek general advice or information or lodging an anonymous complaint using an online form.

Pseudonymity

Pseudonymity means that the individual gives the agency a name, term, or descriptor instead of their actual name (a pseudonym).

Examples include using an email address that does not contain the individual’s actual name, a username that a person chooses when creating an online account or filling out an online form, or a caller to an agency who identifies themself using something other than their name, e.g., a nickname or the name of a fictional character.

The use of a pseudonym does not mean that an individual cannot be identified, particularly if the individual uses a consistent pseudonym or their email or phone number has been used in identified agency interactions. A pseudonymous individual may also choose to divulge their identity or may volunteer identifying information where doing so is necessary to implement their request or transaction.

However, the object of QPP 2 is to give individuals the opportunity to deal with the agency without revealing their identity where it is appropriate to do so. Personal information should only be linked to a pseudonym where required or authorised by law or a court or tribunal order, it is impracticable for the entity to act differently, or the individual has consented to providing or linking the additional personal information.

Providing anonymous and pseudonymous options

Agencies should ensure that anonymous and pseudonymous options are available to individuals, and that individuals are made aware of this option.

This does not apply where:

  • anonymity or pseudonymity is already the default option
  • agencies are required or authorised to deal with identified individuals; or
  • there is no practicable way for the individual to deal anonymously or pseudonymously with the agency.

The steps an agency should take to draw both options to the attention of individuals will depend on the nature of the dealing between the agency and an individual. One method is to include this information in the agency’s QPP Privacy Policy. The privacy policy could set out:

  • the circumstances in which an individual can deal anonymously or by pseudonym with the agency
  • how the individual can deal anonymously or pseudonymously with the agency
  • any potential negative consequences of dealing anonymously or pseudonymously with the agency, e.g., the agency cannot follow up on or provide outcomes for a complaint made anonymously; and
  • the circumstances in which an individual cannot deal anonymously or pseudonymously with the agency and the reasons why they cannot.

If the agency has a procedure for managing pseudonyms and any linked personal information, this could also be included.

Other measures that can facilitate anonymous and pseudonymous dealing include:

  • if the agency provides a facility on its website for online communication it can include a prominent statement advising individuals that they do not need to identify themselves when using it. This includes ensuring personal information fields in online forms are not mandatory.
  • if telephone calls to the entity are routed through an automated message, informing callers in that message that they are not required to provide personal information
  • if the agency solicits public submissions or comments, it could explicitly allow individuals to use a pseudonym that will be published, even if the individual’s name is supplied confidentially to the entity
  • when otherwise dealing with an individual, if it can be conducted anonymously or pseudonymously the agency could advise the individual at the beginning of the dealing.

Where identification is authorised or required

An agency is not required to offer anonymous or pseudonymous option where it is authorised or required to deal with an identified individual. Generally, the authorisation or requirement must arise from a law, or orders from a court or tribunal.

If an agency is authorised to deal with identified individuals, the agency may have the discretion to allow the individual to be anonymous or pseudonymous. If the agency is required by law to deal only with identified individuals, there is no discretion.

The nature of any discretion, and whether it is appropriate to rely upon it, will depend on the source of the authority or requirement and the nature of the dealing.

Situations where an agency would only be able to deal with an identified individual include:

  • processing an individual’s application for an identity document, licence, or approval
  • processing a claim for, or paying a benefit to, an individual.
  • providing assistance to an individual who has been diagnosed with a disease that must be recorded and notified under a public health law
  • providing assistance to a suspected victim of child abuse, whose injury is covered by a mandatory reporting requirement.
  • discussing the individual’s personal information with them
  • processing access or amendment applications under the Right to Information Act 2009; or
  • giving the individual administrative access to their personal information.

Where the agency can only deal with an identified individual, it should ensure it collects only the minimum amount of personal information required to meet its obligations. For example, if the individual is required to provide identification documents, the agency should determine if the requirement can be met by sighting the documents instead of taking a copy and putting procedures in place to do so. This aligns with QPP 3, which requires agencies to only collect personal information that is reasonably necessary for one or more of their functions or activities.

Requiring identification where it is impracticable not to

Agencies are not required to allow anonymous or pseudonymous dealing where it is impracticable to deal with individuals who have not identified themselves.

It may be impracticable for an agency to deal with an individual who is not identified where, for example:

  • the individual is making a complaint about how their case was handled or how staff of an agency behaved towards them. Without knowing who the complainant is, the agency would generally not be able to investigate and resolve it.
  • an individual wants information or products posted or delivered; the agency will generally need to know the individual’s address but may not need their name
  • the individual is seeking health care or a health service from the public health system.

In limited circumstances it may be open to an agency to rely on the impracticability exception where the burden of the inconvenience, time, and cost of dealing with anonymous or pseudonymous individuals, or of changing existing systems or practices to include the option of anonymous or pseudonymous dealings, would be excessive in all the circumstances. However, this would generally only be a transactional, rather than an ongoing or permanent justification.

Unless an entity is required or authorised to deal with individuals who have identified themselves, agencies are expected to design and maintain information collection systems that incorporate anonymous and pseudonymous options.

Where it is impracticable to facilitate anonymous or pseudonymous dealings, agencies must ensure they collect only the minimum personal information required for the dealing. This is consistent with the obligation in QPP 3.

QPP 3 - collection of solicited personal information

Under QPP 3, an agency must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of its functions or activities.

Agencies must collect personal information by lawful and fair means, and it must be collected only from the individual unless:

Sensitive information

Under QPP 3.3, agencies can only collect sensitive information where the collection is reasonably necessary for, or directly related to, functions or activities of the agency and the individual consents, or one of the below criteria apply:

Solicited information only

The obligations in QPP 3 only apply to solicited personal information. An agency solicits personal information if it asks someone to provide personal information or information of a kind in which personal information is included.

Unsolicited information is information that someone gives or sends to an agency at their own instigation, for example a petition from a community member that includes their personal information and the personal information of the signers. QPP 3 does not apply to unsolicited personal information. It is covered by QPP 4.

Reasonably necessary for, or directly related to, functions or activities

Agencies must only collect personal information, including sensitive information, that they need. Specifically, the personal information must be:

Determining whether a particular collection of personal information complies with QPP 3.1 involves a two-step process:

  • identifying an agency’s functions or activities, and
  • determining whether collecting the personal information is reasonably necessary for, or directly related to, one of those functions or activities.

An additional step is required in relation to the collection of sensitive information.

Directly related to

QPP 3 allows an agency to collect personal information directly related to one or more of its functions or activities. This requires there to be a direct connection between the personal information being collected and an agency function or activity.

Reasonably necessary for

QPP 3 also allow an agency to collect personal information that is reasonably necessary for one of its functions or activities.

Whether it is reasonably necessary to collect personal information is an objective test: would a reasonable person who is properly informed agree that the collection is reasonably necessary? The onus is on the agency to demonstrate that a particular collection was reasonably necessary.

Collection will only be reasonably necessary where the collection of the personal information helps to achieve the function or activity and it could not reasonably happen without the information.

Asking for irrelevant information will breach the privacy principles because it is not necessary for the functions or activities. Forms, questionnaires, interview questions and other tools for gathering personal information must be assessed against the purpose an agency is trying to fulfil, to ensure that they collect only necessary personal information and do not go further than is needed.

Factors which could make collection of personal information unnecessary include:

  • collecting information about a group of people when information is only needed about some of the people in the group
  • collecting a wide range of personal information when only specific facts are needed
  • recording unnecessary information where it is provided verbally—only relevant information should be written down
  • taking copies of identification (for example, a passport) where it is only necessary to see it; or
  • collecting unnecessary background or financial information.

The QPPs are based on the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth). Some circumstances where the collection of personal information was determined by the Office of the Australian Information to not be reasonably necessary for the function or activity were:

  • a job applicant being asked to advise if they had suffered a work-related injury or illness, when this was not relevant to the position being advertised
  • a person applying to open a bank account being asked to complete a standard form application that included a question about marital status, when this had no bearing on the applicant's eligibility to open an account; and
  • a medical practitioner photographing a patient for the patient's medical file, when this was not necessary to provide a health service.

Other situations where the collection of personal information may not be reasonably necessary for an agency’s functions or activities include:

  • collecting personal information about a group of individuals, when information is only required for some of those individuals
  • collecting more personal information than is required for a function or activity, e.g., collecting all the information from an individual’s driver licence when the purpose is to establish if the individual is aged 18 years or over; and
  • collecting personal information that is not required for a function or activity but is being entered in a database in case it might be needed in the future.

Collection by lawful and fair means

Under QPP 3.5, agencies must collect personal information, including sensitive information, only by lawful and fair means.

Collecting by lawful means

For collection to be lawful, it must be done in accordance with the law and not be done in a way that breaches a law. This includes criminal, civil and common law but will not generally include a breach of contract. Unlawful collection includes:

  • any collection of personal information directly or indirectly prohibited by another law, e.g., restrictions on collecting specific information or collecting information in specific circumstances
  • where an agency has the power to collect the information, but it exercises the power improperly or exceeds the power; or
  • collecting information for an unlawful purpose

Examples include:

  • collecting information in breach of legislation or in a way that breaches legislation
  • requesting or requiring information in connection with, or for the purpose of, an act of discrimination
  • collecting by a means that would constitute a civil wrong, for example, by trespassing on private property or threatening damage to a person unless information is provided
  • collecting information contrary to a court or tribunal order, for example, contrary to an injunction issued against the agency.
Collecting by fair means

Personal information is collected fairly where the collection does not involve intimidation or deception and is not unreasonably intrusive. The agency must be open and not mislead the individual or coerce or intimidate them into providing information against their will.

When collecting personal information, agencies must not:

  • mislead people about the confidentiality of information
  • misrepresent what it will do with the information
  • mislead people about who is collecting personal information, or why the information is being collected
  • make false or misleading claims about the consequences of not giving information
  • collect voluntary information as if it was compulsory, for example, by telling people that they are legally required to answer all questions on a form when some questions may be optional; or
  • obtain information by trickery, misrepresentation, deception or under duress.

Whether a collection uses unfair means will often depend on the circumstances. For example, it would usually be unfair to collect personal information covertly without the knowledge of the individual. However, this may be a fair means of collection if undertaken in connection with an investigation.

Some examples where collection may be unfair (some may also be unlawful) include:

  • collecting from a file discarded by accident on a street, or from an electronic device which is lost or left unattended
  • collecting from an individual who is traumatised, in a state of shock or intoxicated
  • collecting in a way that disrespects cultural differences
  • misrepresenting the purpose or effect of collection, or the consequences for the individual of not providing the requested information
  • collecting by telephoning an individual in the middle of the night
  • collecting by deception, for example, wrongly claiming to be a police officer, doctor, or trusted organisation.

QPP 4 - dealing with unsolicited personal information

All personal information acquired by an agency is either solicited or unsolicited personal information. QPP3 governs the collection of solicited personal information. QPP 4 governs unsolicited information.

Unsolicited personal information is personal information received by an agency that the agency took no active steps to collect. It is information that someone gives or sends to an agency at their own instigation, for example a petition from a community member that includes their personal information and the personal information of the signers.

Personal information is not unsolicited because an agency collects it by mistake, for example by forgetting to turn off a body worn camera.

Under QPP4, when agencies receive unsolicited personal information they must decide whether, if the agency had solicited it, it could have been collected under QPP 3.

If the agency would not have been permitted to collect, it under QPP 3—and the information is not contained in a public record—the agency must destroy or deidentify the information as soon as practicable if it is lawful and reasonable to do so.

The agency must destroy or deidentify the unsolicited personal information as soon as practicable if:

  • it would not have been permitted to collect the personal information under QPP 3
  • it is not contained in a public record; and
  • it is lawful and reasonable to do so.

All unsolicited personal information retained by the agency must be dealt with it in accordance with QPPs 5-13.

What is unsolicited personal information

Personal information received by an agency is either solicited or unsolicited. Unsolicited personal information must be dealt with in accordance with QPP 4, which means an agency must first identify whether the information was solicited or unsolicited.

As noted above, personal information is unsolicited if the agency took no active steps to collect it. Examples of unsolicited personal information include:

  • misdirected mail received by an agency
  • correspondence sent to agencies from members of the community or other unsolicited correspondence sent to an agency
  • a petition sent to an agency that contains names and addresses
  • an employment application sent to an agency on an individual’s own initiative and not in response to an advertised vacancy
  • a promotional flyer containing personal information, sent to an agency by an individual promoting the individual’s business or services.

As a general rule, if an agency requests certain personal information and the person they requested it from provides additional personal information, beyond what the agency asked for, the additional personal information should be treated as unsolicited. For example:

  • if an individual completes an application form provided by an entity but chooses to attach financial records the agency did not ask for, the records would generally be unsolicited personal information; or
  • if an agency requests an individual’s medical records about a specified injury from another entity, and the entity provides all of the individual’s medical records, the records that do not relate to the specified injury would generally be unsolicited personal information.

Where it is unclear whether personal information is solicited or unsolicited, agencies should focus on the nature of the additional personal information and the connection it has with the agency’s request. If the agency cannot decide, it is generally safest to treat the personal information as unsolicited personal information and destroy or deidentify it if it is lawful and reasonable to do so.

Determining what to do with unsolicited personal information

If an agency decides that personal information it receives is unsolicited, it must identify what QPP 4 requires.

The first step is for the agency to determine:

  • Is the personal information contained in a public record?
  • Would QPP 3 have permitted the agency to collect the personal information?

QPP 4 states that this must be done within a reasonable period after receiving the information. The length of time that constitutes within a reasonable period will depend on the circumstances. The agency can undertake any internal processes necessary to make its determination, but it should do so as promptly as possible.

QPP 3 permits use or disclosure of unsolicited personal information to the extent necessary to determine if the agency could have collected it under QPP 3 or if it is contained in a public record.

Contained in a public record

Information will be contained in a public record if it meets the definition in section 6 of the Public Records Act 2023 (Qld). Public records must be retained, and can only be disposed of, in accordance with the relevant Retention and Disposal Schedule issued by the State Archivist. See the State Archivist’s Get started with records management or more information.

If information is contained in a public record, the agency does not need to consider whether it could have been collected under QPP 3. The information must be retained and handled in accordance with QPPs 5-13 and the Public Records Act 2023 (Qld) and must not be destroyed or de-identified.

Collectable under QPP 3

Essentially QPP 3 requires:

  • that the personal information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities
  • that it must be collected directly from the individual unless QPP 3 provides otherwise
  • where the information is sensitive information, it must be collected from the individual unless QPP 3 provide otherwise.

It the agency determines that it could have collected the personal information under QPP 3, the agency may keep the personal information. If it keeps it, the personal information must be handled in accordance with QPPs 5-13.

If the agency determines that unsolicited personal information is not a public record and could not have been collected under QPP 3, it must determine if the information can be de-identified or destroyed.

Destruction or deidentification of unsolicited personal information

Once an agency determines that unsolicited personal information could not have been collected under QPP 3 and is not a public record, it must determine if it is lawful and reasonable to destroy or deidentify the personal information.

Lawful destruction or deidentification

It will be lawful for an agency to destroy or deidentify unsolicited personal information if doing so is not criminal, illegal, or prohibited or proscribed by law (i.e., unlawful). Unlawful activity does not generally include breach of a contract.

Destruction will not be lawful where:

  • an Act or Regulation requires the agency to retain the personal information; or
  • a court, tribunal, or body with legal power to issue binding orders has made an order requiring the personal information to be retained for a specified purpose or period.

It is important that agency officers dealing with unsolicited personal information are aware of and, where needed, make the necessary inquiries to identify any legal rules or orders that would make it unlawful to destroyed or deidentify the information.

If destruction or deidentification is lawful, the agency must determine if doing so would be reasonable.

Reasonable to destroy or deidentify

Whether destruction or deidentification will be reasonable is a question of fact to be determined in each individual situation. It is an objective standard, having regard to how a reasonable person who was properly informed would be expected to act in the circumstances.

Relevant considerations can include:

  • the amount and sensitivity of the personal information
  • whether unsolicited personal information is entwined with solicited personal information in way that would be difficult, impractical, or impossible to separate
  • any request from a law enforcement agency to retain the unsolicited pending completion of an investigation
  • if the agency considered a range of options for destroying or de-identifying the personal information
  • any request from the individual that the agency retain or return the personal information
  • if destruction or deidentification of all the information is unreasonable in a short timeframe, whether it could be undertaken in stages; and
  • the practicability, including time and cost involved. However, an agency cannot avoid destroying or de-identifying the personal information only because it would be inconvenient, time-consuming or impose some cost. Whether these factors make it unreasonable to destroy or deidentify personal information will depend on whether the burden is excessive in all the circumstances.

These and other relevant considerations should be applied cautiously. Before deciding that unsolicited personal information cannot reasonably be destroyed or de-identified, agencies should examine all viable options for doing so. For example, if solicited and unsolicited personal information is intertwined, agencies could consider whether it is practicable to create a new document containing only the solicited personal information, allowing the original to be de-identified or destroyed, as long as doing so is consistent with public records obligations.

As soon as practicable

Once an agency has decided that it is both lawful and reasonable to destroy or deidentify unsolicited personal information, the agency must do so as soon as practicable.

A practicable timetable can take technical and resource considerations into account, along with the time it takes to make necessary internal or external inquiries. However, it is the agency’s responsibility to justify any delay in destroying or de-identifying unsolicited personal information.

QPP 5 - notification when collecting personal information

When an agency collects personal information, QPP 5 requires it to take reasonable steps to inform the individual, or make them aware, of the matters listed in QPP 5.2 (referred to as QPP 5 matters). The obligation applies whether the agency collects personal information directly from the individual or from a third party.

The obligation in QPP 5 applies to solicited personal information and to any unsolicited personal information which is not de-identified or destroyed under QPP 4.

The QPP 5 matters

Agencies that collect personal information must take reasonable steps to tell the individual, or make them aware of:

  • the identity and contact details of the agency
  • if the personal information is collected from someone other than the individual, or the individual may not be aware that it has been collected—the fact and circumstances of the collection
  • whether the collection is required or authorised by or under an Australian law, including the name of the law or court/tribunal order including details of the order
  • the purposes of collection
  • the main consequences (if any) for the individual if the personal information is not collected
  • the agency’s usual disclosures of this kind of personal information
  • information about the agency’s QPP privacy policy including how to access and amend personal information held; and
  • whether the agency is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.
Identity and contact details and the QPP privacy policy

The most appropriate contact details will generally be the agency’s privacy officer or privacy team unless the collection relates to a project or other undertaking with a designated privacy contact. Agencies should consider creating a generic privacy phone number and/or email address, to ensure it remains accurate in the event of staff changes.

If the agency is communicating in writing with an individual, it can include a link to the QPP privacy policy. Where communication is verbal, the agency officer should explain how to find the policy on the website.

Fact and circumstances of the collection

Fact and circumstances of collection includes:

  • the fact that agency is collecting, or has collected, the personal information
  • if personal information was not collected directly from the individual—how, when, and from where it was collected.
Whether it was required or authorised by law or order

Collection of personal information does not need to be required or authorised by an Australian law or court/tribunal order. However, where it is, details of that law or order must be included in the QPP 5 notice or otherwise communicated to the individual as required by QPP 5. This includes:

  • the name of the law, e.g., the Act, Regulation, or other instrument or details of the order; and
  • the specific provision that covers the collection unless it is not practicable to do so.
The purposes of collection

This purpose of collection is the specific function or activity for which the agency is collecting the personal information—this is the primary purpose (or purposes). The primary purpose determines what the agency can do with the information and may also contribute to whether it can be used or disclosed for a secondary purpose.

An agency should not collect personal information, whether from the individual or a third party, without a purpose that complies with QPP 3.

The purpose needs to be clearly stated and not simply refer to a broad function of the agency. The aim is to provide enough information for the individual to understand why the information is being collected and what it will be used and/or disclosed for. However, there is no need to include information about internal purposes which are part of ordinary business practices, such as auditing, planning, or de-identifying personal information.

The amount of detail required will vary depending on the circumstances. If, for example, the individual is filing out an agency form, the form’s title may be sufficient to inform the individual of the purpose. Alternatively, a more detailed notice may be needed where the information being collected will be used for more than one purpose.

If the agency knows it is likely to use or disclose the personal information for secondary purpose, it should consider including them. This may assist with establishing the reasonable expectation required for use or disclosure under QPP 6.2(a).

Determining the purpose of collection

Where the agency collects personal information directly from an individual, the context will often make it clear why it is being collected, e.g., the individual provided it to apply for a specific service or is responding to questions as part of an investigation.

Where personal information is collected from a third party, identifying the function or activity for which the agency requires the information will assist in determining the purpose of collection.

When an agency is dealing with unsolicited personal information it has decided to retain under QPP 4, there will be no primary purpose of collection. Instead, the agency should consider why it has retained it and include that information when advising the individual of the QPP 5 matters.

Any consequences if the information is not collected

Individuals must be informed if there are any consequences for not providing their information to the agency. This will generally only be relevant where the agency is collecting personal information directly from the individual or from a direct representative of the individual, e.g., a parent or guardian, or when seeking the individual's consent to collect their personal information from a third party, e.g., a health care provider.

The agency does not need to list out every possible consequence, just the significant consequences that could be expected to result. If the individual can avoid or lessen those consequences, for example by only providing some information or a different kind of information, this should be explained.

Consequences for not providing information could include:

  • the agency not being able to process an application for a licence, permit, allowance or concession
  • the agency not being able to properly investigate or resolve an individual’s complaint; or
  • the agency only being able to provide a lesser or different level of service.
Usual disclosure of information, including overseas disclosures

When collecting their information, agencies must inform individuals of any entity it will usually be disclosed to.

Agencies are not required to include details of every possible disclosure they can imagine occurring. The obligation only covers disclosures an agency knows will, or are highly likely to, occur, because that is what the agency usually does with this kind of personal information. This may be, for example, because of a standing arrangement or a legislative obligation. It is not an agency’s usual practice to disclose information if it only does so in response to irregular requests or exceptional cases.

If the entities to which the agency usually discloses personal information are located outside of Australia, the agency must include that fact, along with the countries they are located in.

Reasonable steps

QPP 5 requires agencies to take reasonable steps to tell individuals, or ensure they are aware of, the QPP 5 matters. What constitutes reasonable steps will vary depending on the circumstances, including:

  • The sensitivity of the personal information collected. If an agency collects sensitive information or information that would generally be seen as sensitive, it may need to take more rigorous steps.
  • Any possible adverse consequences an individual could face as a result of agency collecting their personal information. The greater the risk of adversity, the more rigorous steps an agency may need to take.
  • Whether the individual, due to their circumstances, could find the QPP 5 matters difficult to understand. Extra steps may be required to ensure they are aware of what they mean, e.g., translating them into other languages, providing a ‘plain English’ version, or offering them in different formats.
  • The practicability, including time and cost involved. However, an agency cannot avoid their QPP 5 obligations just because it would be inconvenient, time-consuming or impose some cost to do so. Whether those factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances.

Some examples of reasonable steps an agency could take include:

  • When collecting personal information directly from the individual on a form or website, clearly and prominently displaying the QPP 5 matters in the form or providing a readily accessible and prominent link to a QPP 5 notice.
  • If an agency regularly collects personal information from individuals over the phone, having an automated message that explains the QPP 5 matters, or gives the individual the option to hear the QPP 5 matters, or giving staff who answer the phones a script they can use at the beginning of any calls.
  • If an agency collects personal information verbally from individuals, whether over the phone or in person, having a brochure, fact sheet, template email or webpage that explains the QPP 5 matters and putting processes in place to ensure it is sent to the individual as soon as possible afterwards.
  • If an agency uses a third party to collect personal information, ensuring the third party notifies or makes individuals aware of the QPP 5 matters on its behalf (e.g., as part of the contract).

When not taking any steps might be reasonable

The obligation in QPP 5 is not absolute. It only requires an agency to take reasonable steps to notify the individual of the QPP 5 matters that are reasonable in the circumstances.

In some circumstances, there may be no reasonable steps an agency can take or no reasonable steps it needs to take, for example where:

  • The agency knows that the individual is already aware that personal information is being collected, the purpose of collection and other QPP 5 matters relating to the collection.
  • The agency has regularly collected the same kind of personal information from the same individual for the same reason and they were given a QPP 5 notice at the original collection. Note, however, that if circumstances change or a long period of time has elapsed since the original notice, meaning the individual may no longer be aware of relevant QPP 5 matters, the agency may need to give them a new QPP 5 notice or otherwise make them aware.
  • Notification could pose a serious threat to the life, health, safety, or welfare of an individual or pose a threat to public health, safety or welfare, for example, where a law enforcement agency collects personal information from a confidential source as part of an investigation.
  • Notification could jeopardise the purpose of collection or the integrity of the personal information collected and there is a clear public interest in the purpose of collection, for example, a law enforcement agency undertaking lawful covert surveillance of an individual in connection with a criminal investigation.
  • Notification would be inconsistent with other legal obligations, for example, where doing so would breach a confidentiality or secrecy provisions, violate legal professional privilege, or be a breach of confidence.
  • An agency collects personal information about an individual who poses (or is alleged to pose) a risk of committing family violence and this collection is permitted by a legislated family violence information sharing scheme.
  • The impracticability of notification, including where the time and cost of doing so outweighs the privacy benefit of notification. For example: where an agency collects next of kin or emergency contact information, it would generally be reasonable for the entity to take no steps to notify the individual that it had collected personal information; or where an individual provides unsolicited personal information about a third party, e.g., as part of a complaint or dispute resolution process, it would generally be reasonable for the entity to take no steps to notify the third party, particularly if the agency won’t rely on it when investigating or resolving the matter.
  • The personal information was provided by a third party and the agency does not have the individual’s contact details.

When to provide the QPP 5 matters

When collecting directly from the individual, agencies should take reasonable steps to inform the individual or make them aware of the QPP 5 matters before or when they collect personal information. This allows the individual to make an informed choice about whether to give their personal information to the agency.

If this is not practicable, or if the agency is collecting personal information from a third party, the reasonable steps should be taken as soon as practicable after the information has been collected.

For unsolicited personal information that the agency determines cannot be destroyed or de-identified under QPP 4, the reasonable steps should be taken as soon as practicable after the determination is made.

Examples of when it may not be practicable to take reasonable steps at or before the time of collection include where:

  • urgent collection of the personal information is required and giving a notice or ensuring awareness would unreasonably delay the collection, for example, where there is a serious threat to an individual’s life or health or to public safety or in the context of providing an emergency service; or
  • the medium through which personal information is collected makes it impracticable to provide a detailed QPP 5 notice or ensure awareness at or before the time of collection. For example, where personal information is collected by telephone, it may be impracticable to notify or ensure the individual is aware of all of the QPP 5 matters at the time of collection.

Whether there are any reasonably practicable steps is an objective test and an agency should ensure that it is able to demonstrate that there were none it could take. Conducting a privacy impact assessment is a useful mechanism to record those reasons. Options for providing early notification or ensuring awareness should, where practicable, be built into information collection processes and systems – for example, by including relevant information in standard forms and online collection mechanisms.

If notification does not occur before or at the time of collection, the agency must take reasonable steps to provide notification, or ensure the individual is aware, as soon as practicable after the collection. In adopting a timetable that is ‘practicable’, the agency can take technical and resource considerations into account. However, it will be up to the agency to justify any delay in notification.

How to provide the QPP 5 matters

An agency is not required to provide a formal QPP 5 notice. It can notify or make individuals aware of the QPP 5 matters using any appropriate method. This creates flexibility for agencies to provide this information in the way that best suits the agency, the individuals, and the circumstances of collection.

The QPP 5 matters can roughly be divided into:

  • general information about the agency’s practices; and
  • specific information about the personal information being collected.

Given this divide, agencies could consider meeting their obligations through a two-part process, e.g.:

  • including brief notices on forms that cover the specific information being collected; and
  • creating webpages and/or brochures that provide an expanded notice containing the QPP 5 matters, with the link included on, or the brochure included with, the form.

QPP 6 - use and disclosure of personal information

An agency can use and disclose personal information for the reason it was collected (the primary purpose) or for a secondary purpose set out in QPP 6.

QPP 6.1 – Consent

An agency can use or disclose personal information for a secondary purpose if they have the individual’s consent. Certain things must be present for consent to be valid. The individual must have the capacity to agree and their agreement must be:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific, and
  • the individual has the capacity to understand and communicate their consent.

Whether these factors can be met will depend on the specific circumstances and the nature of the information and the individual.

For the QPPs, consent includes implied consent. As a general rule, an agency should seek express consent. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the agency.

The more sensitive the personal information, or the more privacy invasive the use or disclosure, the more important it is to have express agreement. It is a risk to agencies to rely on implied agreement.

Agencies cannot:

  • assume that an individual has consented to a use or disclosure just because it appears advantageous to them; or
  • establish implied consent by stating that if the individual knew about the benefits of the use or disclosure, they would probably consent to it.
Consent compared with notice

Obtaining an individual’s consent is not the same as providing information or a notice under QPP 5.

When an agency gives a notice or information under QPP 5 it is telling the individual what will happen with their personal information, ie what it will be used for and how it will be disclosed. When an agency seeks an individual’s consent it is asking for their permission to use or disclose their information for the secondary purpose.

QPP 6.2(a) – Related purpose

Under QPP 6.2(a), an agency can use or disclose personal information for a secondary purpose if the individual would reasonably expect the agency to use or disclose the information for the secondary purpose and:

Would the individual reasonably expect the secondary purpose

QPP 6.2(a) requires that the individual would reasonably expect their information to be used or disclosed for the secondary purpose.

The reasonably expects test is an objective one that has regard to what a reasonable person who was properly informed would expect in the circumstances. It’s a question of fact in each individual case and it’s the responsibility of the agency to be able to justify its conduct. The actual expectations of the individual are relevant, but they are not the final answer as to whether an individual would reasonably expect the use or disclosure.

The agency should consider whether an individual would reasonably expect it to use or disclose all their information for the secondary purpose or only some of it. For example, it would be unlikely that an individual would reasonably expect an agency investigating their complaint against a contractor to disclose the individual’s residential address to the contractor as part of its investigation. The individual would reasonably expect the entity to give the contractor only the minimum amount of personal information necessary to enable them to respond to the complaint.

Regardless of the individual’s reasonable expectations, the agency should only use or disclose the minimum amount of personal information necessary for the secondary purpose.

Examples of where an individual may reasonably expect their personal information to be used or disclosed for a secondary purpose include where:

  • the individual makes adverse comments in the media about the way an agency treated them. In these circumstances, it may be reasonable to expect that the agency would respond publicly to these comments in a way that reveals personal information specifically relevant to the issues that the individual has raised
  • the agency notified the individual of the secondary purpose under QPP 5; or
  • the secondary purpose is a normal internal business practice, such as auditing, business planning, billing or de-identifying personal information.

A secondary use or disclosure may be reasonably expected where the use or disclosure is inextricably linked to the primary purpose of collection. However, in some circumstances, despite the link between the primary and secondary purpose, the use or disclosure would not be reasonably expected.  For example, where an agency collects the contact details of an individual turning in a lost wallet, providing that information to the wallet's owner so the owner could thank the finder would not be a reasonably expected secondary purpose despite its link to the primary purpose.

Related or directly related to the primary purpose

QPP 6.2(a) is limited to using or disclosing personal information for a secondary purpose that is related or, for sensitive information, directly related to the primary purpose of collection.

What was the primary purpose

Under QPP 3, agencies can only collect personal information for an identified primary purpose. Determining if the proposed secondary purpose relates or directly relates to the secondary purpose requires the person making that determination to know what the primary purpose was.

If the individual the information is about was given a notice or information under QPP 5,  it will assist in determining the primary purpose of collection.

If the individual was not given a notice or information under QPP 5, the agency will need to consider other information to determine the primary purpose, eg:

  • the information itself
  • the context in which the information was collected
  • the entity the information was acquired from
  • what the agency did with the personal information after it acquired it; and/or
  • any legislation, policies, plans or schemes underpinning its acquisition and/or original use.
Related to

For personal information that is not sensitive information the secondary purpose only needs to be related to the primary purpose.

A related secondary purpose is one which is connected to or associated with the primary purpose. There must be more than a tenuous link.

Examples of where a secondary purpose is related to the primary purpose of collection include:

  • for personal information collected for the primary purpose of collecting a debt, contacting the individual’s former neighbours to ask if they know where to locate them would be a disclosure for the secondary purpose of locating the individual, which is a related and reasonably expected secondary purpose
  • for employee personal information collected for the primary purpose of administering their employment and included in their employee file, a related and expected secondary purpose would be using it as part of a workplace investigation into complaints by the individual about working conditions; or
  • using personal information for the purpose of de-identifying it as required by QPP 11 is a related and reasonably expected secondary purpose.
Directly related to

Sensitive personal information can only be used or disclosed under QPP 6.2(a)(i) for a secondary purpose directly related to the primary purpose. This requires a stronger connection between the use or disclosure and the primary purpose of collection.

The contemplated secondary purpose must be directly connected to or associated with the primary purpose or arise in the context of the primary purpose. There must be a close relationship between the purpose of the use or disclosure and the purpose for which the personal information was obtained.

A directly related purpose can be sufficiently associated with the primary purpose even if it is not strictly necessary to achieve that purpose.

Examples of secondary uses or disclosures which are directly related to the primary purpose include where:

  • information obtained for the primary purpose of operating a program is used or disclosed for the purpose of monitoring, evaluating, auditing or managing that program
  • information obtained for the primary purpose of investigating complaints is used or disclosed for the secondary purpose of conducting follow up surveys or reporting survey or investigation results to a relevant oversight body or responsible senior officer; or
  • information obtained for the primary purpose of receiving payment of a fee or charge is used or disclosed for the secondary purpose of recovering or writing off the unpaid money.

QPP 6.2(b) – Australian law or court order

An agency can use or disclose personal information for a secondary purpose if it is required or authorised under an Australian law or a court or tribunal order to do so.

Impliedly authorised or required

Generally, the use or disclosure must be explicitly required or authorised by or under a law or order. However, there are some circumstances where the requirement or authorisation may be implied.

If it is not possible to take an action required or authorised by the law or comply with an order of a court or tribunal without using or disclosing the information, the use or disclosure will be impliedly required or authorised. For example, an Act that authorises an agency to collect personal information about an individual from a third party impliedly authorises the agency to disclose the individual’s identity to the third party.

QPP 6.2(c) – Permitted general situations

An agency can use or disclose personal information for a permitted general situation set out in schedule 4, part 1 of the IP Act.

QPP 6.2(d) – Permitted health situations

A health agency can use or disclose personal information for a permitted health situation set out in schedule 4, part 2 of the IP Act.

Only health agencies can rely on the permitted health situations.

QPP 6.2(e) – Enforcement activities

Under QPP 6.2(e), an agency can use or disclose personal information for a secondary purpose if the agency reasonably believes that the use or disclosure is reasonably necessary for one or more enforcement-related activities of a law enforcement agency.

QPP 6.2(e) allows use and disclosure by a law enforcement agency for one of its enforcement-related activities. It also allows use and disclosure by a non-law enforcement agency, if the non-law enforcement agency reasonably believes the use or disclosure is reasonably necessary for an enforcement-related activity being conducted by a law enforcement agency.

For agencies whose primary function is law enforcement, such as the QPS, not every activity they carry out will be an enforcement-related activity. Human resources, general administration, budgeting and finance, for example, will not comprise enforcement-related activities merely because those activities are being carried out by a law enforcement agency.

Similarly, agencies which have specific law enforcement functions in addition to other functions, such as local government authorities, can only rely on the law enforcement exceptions for enforcement activity that is related to those specific law enforcement functions.

Other non-law enforcement agencies considering disclosure of personal information to a law enforcement agency under this exception can only disclose personal information to the law enforcement agency if the non-law enforcement agency reasonably believes that disclosure is reasonably necessary for one or more of the law enforcement agency’s enforcement-related activities.

For example, if the Department of Water Quality was investigating a possible breach of the Clean Water Act 2007 by a local farmer, it could disclose personal information about the farmer, for example that he was being investigated, to the local council, neighbours, or farmhands, if the disclosure was a necessary part of the Department's investigation.

Note the use or disclosure

If personal information is used or disclosed under QPP 6.2(e), QPP 6.5 requires the agency to make a written note of the use or disclosure.

QPP 6.2(f) – ASIO

An agency can disclose personal information to ASIO where all the criteria under QPP 6.2(f) have been met.

Definitions for 6.2(f)

ASIO is the Australian Security Intelligence Organisation established under the Australian Security Intelligence Organisation Act 1979 (Cth).

The Director-General of ASIO is the person who has been appointed as the Director-General of Security under the Australian Security Intelligence Organisation Act 1979 (Cth).

What does 6.2(f) require?

Under QPP 6.2(f), ASIO must ask the agency to disclose the personal information.

The request must be made in writing by an officer or employee of ASIO who has written authorisation from the Director-General of ASIO to make the request. The authorised officer or employee must also certify in writing that the personal information they are asking for is required in connection with the performance by ASIO of its functions.

The personal information must only be disclosed to an officer or employee of ASIO who has written authorisation from the Director-General of ASIO to receive it.

QPP 6.2(g) – Public interest research

Under QPP 6.2(g) personal information can be used or disclosed where:

  • the personal information is necessary for research or the compilation or analysis of statistics in the public interest
  • the use or disclosure does not involve the publication of all or any of the personal information in a form that identifies any individual
  • it is not practicable to obtain the express or implied consent of each individual the subject of the personal information before the use or disclosure; and
  • if the personal information is disclosed to another entity, the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.
Consent and planning for future research needs

As a general rule, it is preferable for personal information to be used for research with the consent or reasonable awareness of the individual.

Where an agency collects or holds information with research value, potential future research needs should be considered. Where appropriate, the use of personal information for future research can be built into the information provided under QPP 5.

Research in the public interest

Before an agency can rely on the QPP 6.2(g) public interest research exception, it must first consider:

  • whether the work can be undertaken with unidentified or de-identified information instead of personal information
  • what method will be used to ensure the final product is effectively de-identified
  • for disclosure, what steps the agency will take to ensure it can be satisfied that the recipient will not disclose the information to anyone else
  • whether the information will be disclosed outside Australia as part of the research
  • whether it is impracticable to seek the consent of the potential subjects; and
  • whether the work is in the public interest.
Key criteria for QPP 6.2(g)
Necessary

When considering whether the use or disclosure is necessary, an agency must consider to what degree the personal information is needed for the research.

It will be a question of degree, to be determined having regard to the purpose of the research, its intended outcomes, and the extent to which it is dependent on the personal or health information.  If de-identified information can or would serve the same purpose, then the use or disclosure of the information is not necessary.

Research

Research generally involves diligent and systematic inquiry or investigation into a subject in order to discover facts or principles.  It must begin with a clearly defined goal around which the study is designed.  The data gathered as part of the research must be aimed at assisting the researcher towards achieving that goal.

It should be more than a reorganisation or restatement of the facts contained in the data; it must use a clear procedure to analyse a body of information or data and extract new meaning from it or develop unique solutions to problems or cases.

Statistics

Compilation or analysis of statistics is the act or process of collecting numerical data or undertaking a detailed examination of the elements or structure of numerical data, especially in or about large quantities, and inferring conclusions about the whole from conclusions reached from the whole or a representative sample.

In the public interest

For research to be in the public interest, it must be done ethically. The results it is aimed at achieving, the questions it is attempting to answer, or the knowledge it is seeking to gain must be of potential benefit to more than just the agency which holds the information or the individual conducting the research.

Research in the public interest would commonly involve something beneficial to the well-being of society as a whole, or a specific segment of it, with an emphasis on areas for which the government has responsibility.

Research that may be in the public interest could include research into:

  • public health issues
  • public safety issues
  • social welfare issues
  • criminal matters, such as trends, prevention, effectiveness of deterrence measures
  • protection of children and disabled or disadvantaged members of   society
  • environmental health, protection and improvement
  • better delivery and increased effectiveness of government services.

All proposed research projects where personal information is considered necessary must be individually assessed to determine if they are actually in the public interest. When making this assessment, agencies should consider how the public interest is being defined, eg does it go beyond the agency’s own needs/potential benefit to consider the greater implications for the public as a whole.

Agencies should also consider how the public is expected to benefit from this research. Will it:

  • bring greater knowledge, insight, or understanding
  • improve social welfare, public safety, or individual well-being or minimise a serious harm; or
  • enhance the delivery or improve the effectiveness of a government service.

Other relevant considerations include:

  • is there a risk or potential cost to the community if the research is not conducted
  • the potential subject of the research is at any risk of harm as a result of their personal information being used in this way; and
  • the research is being conducted in an ethical way, consistent with the accepted standards for research involving human beings.
Not practicable to obtain consent

Consent is the simplest way of using or disclosing personal information for a purpose not contemplated at the time of collection. The public interest exception in QPP 6.2(g) can only be relied on if it is not practicable, or is impracticable, to obtain consent.

Not practicable does not mean difficult or undesirable. To be impracticable, it must be impossible, or extremely difficult, to seek consent. The fact that seeking consent is inconvenient or would involve expenditure of some effort or resources is not sufficient.

The impracticability of obtaining consent must not be confused with the undesirability of obtaining consent.  For example, it is not sufficient that, if consent were sought, refusal by some individuals would make the research project more difficult.

Whether it is impracticable to seek consent will depend on the individual circumstances. When making this determination, the following are relevant considerations:

  • the age of the information
  • the size of the subject pool
  • whether the individuals concerned are likely to have moved or died
  • the lack of current or ongoing contact with the individuals, and a lack of sufficient information to determine their current contact details (bearing in mind the obligation to ensure information is accurate and up to date before use); and
  • the resources required to obtain consent would be a significant drain on the agency or researcher to the extent that the research could not be done.
Satisfied the relevant entity will not disclose

Where agencies are disclosing personal information under QPP 6.2(g) rather than using it themselves, they must be satisfied on reasonable grounds that the entity receiving it will not disclose it to anyone else.

In addition, agencies should ensure the entity will:

  • appropriately safeguard the information against loss, misuse, and unauthorised access
  • not use the information for any other purpose; and
  • return the information or destroy it at the conclusion of the research.

This could be achieved by way of a contract, Memorandum of Understanding, Deed of Privacy or other instrument that binds the recipient of the information to deal with it in a specific way.

Note

Queensland Privacy Principles 7-8 do not exist, as the Queensland government adopted the numbering of the Australian Privacy Principles.

QPP 10 - accuracy of personal information

QPP 10 requires agencies to take reasonable steps to ensure the quality of personal information they deal with. Specifically, they must take reasonable steps to ensure:

  • the personal information they collect is accurate, up to date and complete; and
  • having regard to the reason for the use or disclosure, the personal information they use or disclose is accurate, up to date, complete and relevant.

In addition to creating robust privacy protections, these requirements help ensure greater administrative efficiency and can save the time, potential embarrassment, and possible adverse effects of making decisions based on incorrect or incomplete information.

When does an agency have to take reasonable steps

The agency must take reasonable steps to ensure the quality of personal information at two distinct times: the first, when the information is collected and the second, when the personal information will be used or disclosed.

Agencies aren’t required to review the personal information they hold outside the specific obligations in QPP 10, but doing so can help agencies ensure the overall and ongoing quality of the personal information they hold.

What steps are reasonable

What constitutes reasonable steps will vary depending on the circumstances. Factors to consider when determining what steps are reasonable include:

  • the likelihood that the information in question is accurate, complete, and up to date
  • whether the information is likely to change over time (for example, date of birth will not change but address and contact details may change frequently and should be regularly checked)
  • how recently the information was collected (for example, if an officer uses information soon after collecting it directly from an individual, it probably does not need to be checked)
  • how reliable the information is likely to be—this may include professional judgements about whether, or what, information requires verification
  • who provided the information (if the information was collected from third parties the need to confirm its accuracy may increase)
  • how the information will be used, or under what circumstances it is being disclosed (for example, it will always be reasonable to ensure that an individual’s address details are correct in sending a referral letter or appointment by mail)
  • the consequences if the information being used or disclosed is inaccurate, incomplete or out of date
  • how sensitive the personal information is—more rigorous steps may be required if the information being collected, used, or disclosed is sensitive information or is personal information generally considered to be of a sensitive nature
  • the nature of agency, include its size, resources, and responsibilities; a large agency that routinely works with sensitive information may be expected to take more steps than a small agency who routinely works with non-personal information; and
  • the practicability of the steps, including time and cost involved. However, an agency cannot avoid taking particular steps by only because doing so would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances.

In some circumstances there may be:

  • no reasonable steps an agency can take, for example, where the information was collected from a third party and neither the individual nor anyone else who could verify it is available; or
  • no reasonable steps an agency is required to take, for example, where it has collected the information directly from the individual it is about.

However, the onus will be on the agency to establish this.

Reasonable steps an agency could take include:

  • implementing internal practices, procedures, and systems to audit, monitor, identify and correct poor quality personal information (including training staff in these practices, procedures and systems). For example, if the agency commonly uses or discloses personal information in time-critical situations where it is not possible to take steps to ensure its accuracy, the agency could put procedures in place to review the quality of the personal information at regular intervals
  • implementing protocols to ensure personal information is collected and recorded in a consistent format. For example, to help assess whether personal information is up to date, an agency could, where practicable, note when it was collected, any point in time to which it relates, and if it is an opinion or a verified fact
  • ensuring updated or new personal information is promptly added to relevant existing records
  • providing individuals with a simple means to review and update their personal information on an on-going basis, for example through an online portal
  • reminding individuals to update their personal information each time they engage with the agency
  • contacting the individual to verify the quality of their personal information when it is used or disclosed, particularly if there has been a lengthy period since collection; or
  • if personal information is to be used or disclosed for a secondary purpose, assessing the quality of the personal information with regard to the secondary purpose before its use or disclosure.

In most circumstances, a reliable way of ensuring quality will be to verify the information against the original source. However, in some cases that may be unreasonable because, for example:

  • the original source may no longer be available
  • checking the original source may be unreasonably expensive
  • the consequences of the personal information being incorrect are likely to have nominal or minimal impact; or
  • there is reason to believe that the source information may not be accurate or may have become inaccurate over time.

If agency officers cannot reasonably check with the original source, there are often other methods that can be used to ensure information accuracy.

Collection from third parties

If an agency regularly collects personal information from a third party it should put appropriate practices, procedures and/or systems in place to ensure the personal information’s quality. Depending on the circumstances and the nature of the third party this could include:

  • enforceable contractual arrangements requiring third party to implement appropriate measures to ensure the quality of personal information the entity collects from the third party, including where appropriate binding them under Chapter 2, part 3 of the IP Act; and
  • undertaking due diligence in relation to the third party’s quality practices prior to the collection.

Accurate, up to date, complete and relevant

Accurate

Personal information is inaccurate if it contains an error or defect or if it is misleading. Incorrect factual information can include the wrong name, date of birth, residential address or current or former employer.

An opinion about the individual is not inaccurate just because the individual disagrees with it. An opinion will generally be accurate if it is clear that it is an opinion and not objective fact, it accurately records the view of the opinion giver, and is based on reasonable grounds.

Up to date

Personal information is out of date if it contains facts, opinions or other information that is no longer current. An example is a statement that an individual lacks a particular qualification or accreditation that the individual has subsequently obtained.

Information that was accurate when it was collected may be superseded by later information or events. Whether that makes the original personal information out of date will depend on why it was originally collected, used, or disclosed and what the agency wants to do with it now. If the agency needs more current information, the original personal information will, to that extent of the agency’s current purpose, be out of date.

Complete

Personal information is incomplete if it presents a partial or misleading picture, rather than a true or full picture, for example a database which says that an individual has not paid their rates, when the rates have actually been paid, albeit late.The information will be incomplete under QPP 10 if the database is used or disclosed for the purpose of providing information about the individual’s payment history.

Similarly, a document which lists only two rather than all three children of the parent(s) will be incomplete under QPP 10 if that personal information is used for the purpose of, and is relevant to, assessing a person’s eligibility for a benefit or service which relates to the number of children a person or family has.

Collection of personal information will be reasonably necessary for one of the agency’s functions it is collecting it to ensure the information it already holds is complete.

Relevant - use or disclosure only

Agencies must take reasonable steps to ensure personal information is relevant before they use or disclose it. Personal information will be irrelevant if it does not have a bearing upon, or connection to, the purpose for which it will be used or disclosed.

For example, if an agency is disclosing medical records for the purposes of a WorkCover claim, it should only disclose the parts of the record that are relevant to that secondary purpose.

QPP 11 - security of personal information

Under QPP 11, agencies must take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure.

QPP 11 also requires agencies to destroy or de-identify personal information once it is no longer needed for any purpose for which it could be used or disclosed under the QPPs.

This obligation is subject to the provisions of the Public Records Act 2023 (Qld) and/or any order of a court or tribunal requiring the agency to retain the information.

Security of personal information

QPP 11 requires an agency to take reasonable steps to protect personal information from are: misuse, interference, loss, unauthorised access, unauthorised modification, and unauthorised disclosure of personal information.

These terms are not defined in the IP Act and their meanings often overlap.

Agencies may find the Privacy risk register template helpful when implementing QPP 11.

Misuse

An agency misuses personal information if it is uses it for a purpose not permitted by the IP Act.

Interference

Interference with personal information occurs if there is an attack on personal information held by an agency that interferes with the personal information, but does not necessarily modify its content.

Interference includes an attack on a computer system that, for example, leads to exposure of personal information.

Loss

Loss of personal information covers the accidental or inadvertent loss of personal information held by an agency. This includes:

  • physically losing personal information, including hard copy documents, computer equipment or portable storage devices containing personal information, by, for example, leaving it in a public place
  • electronically losing personal information, by, for example, failing to keep adequate backups of personal information in the event of a systems failure.

Loss can also occur as a result of theft following unauthorised access, unauthorised modification, or as a result of power outages or natural disasters such as floods or fires.

It does not apply to the intentional destruction or deidentification of personal information done in accordance with the QPPs or the Public Records Act 2023 (Qld).

Unauthorised access

Unauthorised access of personal information occurs when personal information is accessed by someone who is not permitted to do so. This includes unauthorised access by an employee of the entity or independent contractor, as well as unauthorised access by an external third party, e.g., via malware or hacking.

Unauthorised modification

Unauthorised modification of personal information occurs when personal information is altered by someone who is not permitted to do so, or is altered in a way that is not permitted under the IP Act.

Unauthorised modification can occur as a result of, for example, unauthorised alteration by an employee, or following unauthorised access to databases by an external third party.

Unauthorised disclosure

Disclosure is defined in section 23 of the IP Act. Unauthorised disclosure occurs when an agency:

  • makes personal information accessible or visible to others outside the entity, and
  • releases that information from its effective control in a way that is not permitted by the IP Act.

This includes unauthorised disclosure by an employee of the agency.

Reasonable steps

As part of taking reasonable steps to protect personal information, an agency should consider how it will protect personal information at all stages of the information lifecycle. This includes before personal information is collected (including whether it should be collected), once it is collected and held, and when it is destroyed or de-identified once it is no longer needed.

Reasonable steps should include, where relevant, taking steps and implementing strategies in relation to:

  • governance, culture and training
  • internal practices, procedures and systems
  • ICT security
  • access security, including audit trails
  • third party providers (including cloud computing)
  • data breaches
  • physical security
  • destruction and de-identification; and
  • complying with relevant information Standards.

Practical steps to secure information

When implementing QPP 11, agencies should refer to relevant legislation, whole of government standards, regulations and policies that relate to information security, such as Information Standard 18 – Information Security (IS18). In some circumstances, compliance with such standards will be sufficient to satisfy QPP 11. In others, additional protections may be necessary.

For example, a network may be secured against outside access or infiltration, in accordance with IS18, but unless there are methods in place to control and monitor staff access, it is unlikely to comply with QPP 11.

Proper security of documents containing personal information is not limited to physical or technological security systems, but requires training, monitoring, and auditing.

Need to know

The primary safeguard in protecting documents containing personal information is to limit access only to those who need to access it in order to do their jobs.

Steps should be taken to ensure that computer and physical files which contain personal information are not readily accessible to everyone in the agency. This is particularly relevant where agencies have implemented whole of agency electronic document management systems, creating a central repository or index of all electronic files.

Using audit logs

It is important that an agency be able to determine if its security has been breached and personal information has been accessed, used, modified or disclosed contrary to the IP Act. Effective auditing will record who has accessed personal information, when, and for what purpose, and can be used to both detect and deter misuse.

A visible audit process may also help to ensure that officers access personal information only for agency purposes, which will also help to deter misuse.

To be effective, audit logs or audit trails must be usable and used. Audits must be carried out and responsibility given to a person who can assess whether a potential breach has occurred.

Agencies need to be able to interpret the audit log to determine what they need to know. For instance, does the audit log readily reveal who has accessed what information, and when? It is necessary to know what was done with the information, such as whether it was simply read, or whether it was copied, forwarded, modified, or deleted.

Physical security

Another aspect of data security is physical security, which is concerned with controlling access to places where information is kept. These can be places, like buildings, rooms, or offsite storage facilities, or objects, like a laptop computer, USB key, briefcase, file cabinet or mobile phone. This involves assessing what physical barriers or practices can be used to prevent an unauthorised access, misuse, modification, use or disclosure.

Premises can be secured using a range of devices, such as locks on doors, swipe cards, security guards, access registers, keypads, or biometric readers. There may be multiple layers of authorised entry and access. For instance, a wide group of people may be authorised to pass reception and enter the building, a lesser number of people to a specific floor, and still fewer to the rooms where computer hardware or files are kept.

Where floor plans include lockable office and cubicle workstations a degree of privacy and security for personal information is available, as files could be left out and computer monitors could not be readily viewed by passers-by. However, where an office is open plan, and/or uses shared workstations and computers, consideration will need to be given to mitigating any privacy risks.

Security methods could include:

  • adopting clean desk policies
  • providing separate conference rooms in which to meet with visitors or other agency staff
  • providing provide rooms in which to conduct sensitive interviews of   telephone calls
  • providing lockable cabinets in shared workstations for each staff member
  • providing separate log-ins for shared computers, with secure workspaces for each staff member that cannot be accessed by other users who share the computer.

An important part of QPP 11 compliance and reducing privacy and information security risks generally is effective training and education. Agency staff who are effectively trained and understand their obligations help support and maintain a robust privacy culture.

Reports by the OIC and the Crime and Corruption Commission identified key requirements for all Queensland government agencies for effective privacy and information security training, including that it should:

  • be mandatory and periodic
  • be monitored and followed up to ensure completion
  • cover all relevant elements of information privacy and information security
  • be accurate and consistent with the IP Act, any confidentiality and security obligations, and relevant policies and procedures
  • be practical, contemporary, and tailored to the agency’s context; and
  • include an assessment component.

Individual agencies are responsible for implementing OIC recommendations made to all Queensland government agencies, monitoring and reporting on progress to leadership, and taking appropriate action. OIC will continue to assess agency progress in its audit program and report to Parliament.

Training must be mandatory and periodic

Privacy and information security training should be mandatory. It forms part of an agency's induction package. Employees should complete it before having access to systems containing personal information.

Mandatory periodic refresher training is just as important. It increases the likelihood of employees retaining their awareness of information privacy and security risks. Agencies can use refresher training to alert staff to any changes in their privacy and information security policies.

By requiring their staff to undertake refresher training periodically, agencies will be able to:

  • demonstrate that their employees are aware of their privacy and information security obligations; and
  • reinforce an effective privacy culture.

Training must be monitored and followed-up

For training strategies to be effective, agencies must put robust systems and procedures in place to ensure all employees complete the required training.

Alternative training delivery

Privacy and information security training is often computer-based, which means agencies must make other arrangements for frontline and other employees who do not have ongoing access to IT networks. Alternative training methods and reminders, such as face to face or self-paced workbooks, must be put in place, along with procedures to report on training completion and follow up as needed.

When a very high proportion of staff complete the training, it reinforces an agency’s privacy culture and reduces the likelihood of privacy and information security risks materialising. This goal can be achieved by, for example:

  • automatically enrolling employees into training programs
  • setting dates by which training must be completed
  • sending prompts and email reminders to employees to complete the training when it is due
  • copying individual managers into reminder emails sent to employees
  • providing regular reports on training completion to management and/or senior executives; and
  • ensuring follow up of incomplete training with individual employees.

Training needs to target high-risk areas

An important part of effective training is recognising which parts of the agency present greater privacy and information security risks. These might be areas that, for example, handle more sensitive information or use contractors.

In addition to their privacy obligations, many agencies work with legislation that imposes confidentiality obligations on the employees, including after they leave the agency. These obligations need to be addressed in the training, as they represent an area of potential high-risk. Failure to comply can also have significant consequences for employees and the community.

Agencies should address these heightened risks in their training to increase its effectiveness as a risk mitigation strategy.

Training must be contemporary, practical and tailored to the agency

To be effective, training needs to be comprehensive, contemporary, and relevant to the agency. Agencies can use training packages tailored to their work or offer general privacy and information security training and supplement it with agency specific training.

Whichever option the agency choses, it is important that the training contains practical scenarios that show employees how to apply privacy and information security principles in their day-to-day duties. Including real-life scenarios and de-identified case studies can be particularly beneficial.

The training content should be up to date and incorporate all aspects of the agency's privacy and information security framework, including relevant privacy and information security policies and procedures.

Chapter 3A of the IP Act establishes a Mandatory Notification of Data Breach (MNDB) scheme.  Under the MNDB scheme, agencies are obliged to contain, mitigate, assess and provide notification to OIC and particular individuals of eligible data breaches. Agencies are also required to develop and publish a data breach policy.  Contemporary agency security training should ensure officers are aware of their obligations under the MNDB scheme, including identifying actual or suspected data breaches, and familiarising officers with the agency’s data breach policy.

As part of developing effective training, agencies have, for example:

  • developed a training module that reflects the content of the agency's Information Privacy Plan, including examples of the types of personal information the agency collects, and how the Information Privacy Principles apply to collection, use and disclosure of personal information.
  • incorporated detailed scenarios into their training package, specific to the work of the agency, which cover a wide range of situations, including collecting, using and disclosing personal information.
  • developed induction training which captures key features of the agency's information security policy, including a detailed list of employee responsibilities, and how to classify and handle information; and
  • developed mandatory refresher training that captures key elements of the agency's information security policy, including safeguarding user ID and passwords.

Training needs to include an assessment

When training includes an assessment component, it increases the likelihood of employees understanding and retaining its content. Requiring employees to test their knowledge as part of the training gives agencies greater assurance that staff are aware of their obligations. It also enhances the effectiveness of training as a risk mitigation strategy. For example, agencies could incorporate a quiz into practical, agency-based scenarios that prompts employees to consider the correct course of action.

Additional steps

Effective training is only one part of ensuring employees understand their privacy and information security obligations. Awareness raising activities, such as email campaigns and posting information on the agency intranet, are another way to remind employees of their privacy obligations and reinforce appropriate privacy behaviours in their everyday work. For example:

  • A series of short 'did you know' articles, published on the agency intranet home page, which includes practical privacy topics, such as misdirected emails, shredding documents, floor security and privacy impact assessments.
  • Using all-staff emails and intranet campaigns to promote the agency's privacy and information security policies, including the development of a virtual cyber security champion, promoting information security in various online channels.

Destruction or deidentification of personal information

QPP 11 requires agencies to destroy or de-identify personal information that is no longer needed for any purpose.

Limitations – Public records, Australian law, and court orders

Generally, agency documents can only be destroyed or altered if the Public Records Act 2023 (Qld) and any Retention and Disposal Schedule issued under that Act authorises it.

Agencies must also comply with any other Australian law, or any court or tribunal order, that requires information or documents to be kept in an unaltered form.

As such, the obligation in QPP 11 to take reasonable steps to destroy or deidentify personal information will not apply to personal information that:

  • must be retained unaltered as a public record
  • must be retained unaltered by any Australian law; or
  • a court or tribunal has ordered must be retained.
No longer needed for any purpose

QPP 11 specifies that the personal information must no longer be needed for any purpose for which the information could be used or disclosed under the QPPs.

This means that the purpose for which it is retained in an identified form can be either the primary purpose of collection or any other secondary purpose set out in QPP 6.

However, similar to the principles governing collection of information, there must be a genuine expectation of required future use or disclosure. This means agencies must actively consider whether the personal information will actually be required for a permitted purpose. Retaining information 'just in case' it may be needed for some future use by the agency or a third party is not sufficient.

Information will often have statistical and research value and can inform and guide public policy decisions, but the purpose for which personal information is being kept must be specific and identifiable, rather than undefined and hypothetical.

Reasonable steps to deidentify or destroy

QPP 11 requires agencies to take reasonable steps to ensure that personal information is de-identified or destroyed when it is no longer needed for a permitted purpose.

De-identification

Personal information is de-identified when the identity of the individual the information is about cannot, and in the future will not, be reasonably ascertainable. De-identification must be permanent, which means that the agency must not be able to match the de-identified information with other records to re-establish the individual’s identity.

De-identification may be more appropriate than destruction if the de-identified information could provide further value or utility to the agency or a third party. For example, if:

  • the agency shares de-identified information with researchers, or
  • the agency uses de-identified information to develop or inform public policy.

Whatever de-identification method is used, the risk of re-identification must be actively assessed and managed to mitigate this risk. If the risk of re-identification cannot be appropriately minimised, the agency should consider taking reasonable steps to destroy the personal information.

Where personal information is stored on third party hardware, e.g., cloud storage, and the agency tells the third party to deidentify the personal information, taking reasonable steps includes verifying that it was done.

Destruction

Personal information is destroyed if it can no longer be retrieved. The reasonable steps an agency takes to destroy personal information depends on whether the personal information is held in hard copy or electronic form.

For hard copy personal information, throwing it in the garbage or recycling would generally not constitute taking reasonable steps to destroy the personal information, unless it had already been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding.

For personal information in electronic form, reasonable steps will vary depending on the kind of hardware used to store the personal information. In some cases, it may be possible to ‘sanitise’ the hardware to completely remove stored personal information. If hardware cannot be sanitised, reasonable steps must be taken to destroy the personal information in another way, such as by irretrievably destroying it.

Where it is not possible to irretrievably destroy personal information held in electronic format, an agency should consider taking reasonable steps to de-identify the personal information. Alternatively, the agency could put the information beyond use as set out below.

If personal information is stored on third party hardware, eg cloud storage, and the agency tells the third party to destroy it, taking reasonable steps includes verifying that it was done.

Putting personal information beyond use

If an agency cannot irretrievably destroy personal information held in electronic format, reasonable steps to destroy it would include putting the personal information ‘beyond use’.

Personal information is beyond use if it is no longer available for use in the ordinary performance of the agency’s functions. The agency must:

  • not be able, and will not attempt, to use or disclose the personal information
  • not be able to give any other entity access to the personal information
  • apply appropriate technical, physical and organisational security to the information, including, at a minimum, access controls including logs and audit trails; and
  • commit to taking reasonable steps to irretrievably destroy the personal information if or when this becomes possible.

QPP 12 - access to personal information

QPP 12 provides that, where an agency has control of a document containing personal information, it must give the individual access to their own personal information if they ask for it, subject to limitations in QPP 12.2.

Under QPP 12.2, the agency does not have to give access if the agency is required or authorised to refuse to give the individual access under:

  • the RTI Act, for example where the personal information would be contrary to the public interest to release, is contained in a document which is not subject to the RTI Act, or, if applied for, would trigger a refusal to deal mechanism (Gear v the Information Commissioner [2025] QSC 162); or
  • another Queensland law that provides for people to access documents.

The right of access in QPP 12 is to information, not to the documents that contain the information, and it applies only to the requesting individual’s personal information. If their information is intertwined with the personal information of other people in a way that can’t be separated, they will not be able to access it under QPP 12.

QPP 12 does not prescribe a particular access mechanism, and agencies can give effect to the right by, for example, robust compliance with the RTI Act and administrative access schemes.

Access under the RTI Act is intended to be a last resort, which means access to personal information should not automatically be managed through the formal mechanisms of the RTI Act.

Generally, where the circumstances surrounding the information are not contentious, releasing it would not breach legislative or confidentiality obligations, and access would be given if applied for under the RTI Act, agencies should consider providing access administratively.

QPP 13 - correction of personal information

QPP 13 requires agencies to take reasonable steps to correct the personal information they hold to ensure that, having regard to the purpose for which it is held, it is accurate, up to date, complete, relevant and not misleading.

An agency is only required to take these reasonable steps if:

  • it is satisfied, independent of any request, that personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which it is held; or
  • the individual asks the agency to correct the information.

QPP 13.6 provides that the right of correction is subject to the same limits as the right of access in QPP 12.

An agency is not required to comply with 13.1 if:

  • the agency would be entitled to refuse amendment under the RTI Act, for example where the personal information is not contained in a functional record, is contained in a document which is not subject to the RTI Act, or, if applied for, would trigger a refusal to deal mechanism (Gear v the Information Commissioner [2025] QSC 162); or
  • it is required or authorised to refuse to correct or amend the information under another Act regulating the amendment of personal information.

Correction at agency's initiative

QPP 13 does not require agencies to continually check the personal information they hold. However, an agency may become aware that personal information is incorrect in the course of business, for example:

  • information provided to the agency by the individual or a third party may be inconsistent with other personal information held by the agency. For example, an identity document, letter, medical record or photograph
  • a court or tribunal may make a finding about the personal information, in a case involving the agency or in another case that comes to the agency’s notice
  • the agency may be notified by another agency or person that the personal information is incorrect, or that similar personal information held by the other agency has been corrected; or
  • an auditing or monitoring program indicates that personal information the agency holds requires correction.

After becoming aware that personal information may require correction, agencies should take steps to satisfy themselves that the information is incorrect before taking reasonable steps to correct it. This will also help ensure agencies meet their obligation under QPP 10 to take reasonable steps to ensure the correctness of personal information they hold.

Correction on request

If an individual asks an agency to correct their personal information, the agency must take reasonable steps to correct it if it is satisfied that the information is incorrect, subject to the limitations in 13.6.

QPP 13 does not prescribe a particular mechanism for correction requests, and agencies can give effect to QPP 13, for example, by robust compliance with the RTI Act and administrative mechanisms for correction.

Personal information correction, however, should not automatically be managed through the formal mechanisms of the RTI Act. Generally, where the circumstances surrounding the information are not contentious, amending it would not breach legislative obligations, and amendment would be made under the RTI Act, agencies should consider correcting it administratively.

Making a notation

If the agency refuses to correct personal information at an individual's request, eg because it is not satisfied the information is incorrect or there are no reasonable steps it can take to correct it, the individual can ask the agency to associate a statement with the information. If an agency refuses to correct the information, they should inform the individual that they have this option.

If the individual requests it, the agency must take reasonable steps to associate the statement with the information in a way that will make it apparent to users of the information.

If the agency refused because it was not satisfied that the information is incorrect, the statement should reflect that it is based on the individual's assertion, rather than a statement of fact.

If the agency refused correction because there were no reasonable steps it could take, the statement should clearly set out that the information is incorrect and, where appropriate, provide the correct information.

Being satisfied

Being satisfied that personal information is incorrect will not always require detailed analysis. For example, if an agency maintains an online portal through which an individual can access and correct their personal information, the agency may not need to take any additional steps. Correction may also be straightforward in other situations where, for example, an individual presents information to demonstrate that their personal information is incorrect.

If an individual requests correction and the agency needs more information before they can assess the request, it can ask the individual to provide it. However, the agency must clearly explain to the individual what information they need, why they need it, and the consequences of not providing it, eg it may not be able to process or the request or make the correction. However, the burden should not be placed entirely on the individual.

Where appropriate, agencies should be prepared to search their own records and other readily accessible sources that could reasonably be expected to contain information relevant to the individual's request. A full, formal investigation into the matters about which the individual requests correction will generally not be required. The extent of any investigation required will depend on the circumstances, including the seriousness of any adverse consequences for the individual if the correction is not made.

Reasonable steps to correct

If there are no reasonable steps an agency can take, it can decline to correct personal information. The reasonable steps open to an agency include making appropriate additions, deletions or alterations to a record. In some circumstances, it may be appropriate to destroy or de-identify personal information if the agency is satisfied it is incorrect, subject to public records obligations.

Bound contracted service providers

Bound contracted service providers  are not subject to the RTI Act but are subject to the QPPs.

Agencies should ensure there are processes in place for individuals to access and correct their personal information held by bound contracted service providers.

This could be done by, for example:

  • ensuring contracted service providers understand their access and correction obligations under QPP 12 and 13 and providing guidance; or
  • by establishing in the contract that relevant documents remain under the control of the agency, which means individuals can apply to the agency for access to or correction of their information.
Print Page
Back to top