In effect from: 1 July 2025

Waivers

Under section 157 of the IP Act, an agency or a bound contracted service provider can apply to the Commissioner for an approval that waives or modifies:

Waiver or modification will only be granted if the public interest in not complying with the privacy principle or data breach requirements outweighs the public interest in compliance.

How to apply

The application for waiver or modification must be accompanied by a detailed plan of the proposed agency actions and the steps it will follow to protect individual privacy interests if the waiver or modification is approved. A Privacy Impact Assessment may assist in preparing this plan.

If several agencies will be relying on the waiver or modification, e.g., because of a similarity of functions or participation in an interagency project, they should contact the OIC to ascertain if the application should be joint or separate applications will be required.

The waiver or modification being sought must only go as far as is necessary to permit the function or activity the agency wishes to undertake. For example:

  • the agency should not seek an approval to not follow QPP 3 in relation to all its activities, when it only needs the waiver in relation to a specific project; and
  • an agency should not seek an indefinite approval when the function or activity will only last for a set amount of time.

The agency must explain in detail why the public interest in noncompliance outweighs the public interest in compliance and provide any supporting evidence. If the agency is seeking an indefinite approval, it must make a strong case for why an approval for a set amount of time will not be sufficient.

If applying for modification, the agency must also set out the modified way in which it will comply with the privacy principle or data breach requirements.

An agency's application for waiver or modification should include a proposed approval. A proposed approval should address all relevant issues, for example:

  • identifying the specific privacy principle or data breach requirements the agency is seeking to waive or modify
  • providing a detailed and precise description of the personal information involved, including whether it is sensitive information or, for health agencies, health information
  • providing a detailed and precise description of the functions or activities involved
  • identifying any class of individuals whose personal information will be affected by the approval
  • setting out the details of any other agencies who are involved with, or which will be affected by, the proposed approval
  • setting out detailed and specific reasons why the public interest in granting the proposed approval outweighs the public interest in the agency complying with the privacy principle or data breach requirements
  • setting out any alternative methods the agency has considered or attempted in order to carry out the function or activity in a way that complies with the privacy principle or data breach requirements; and
  • identifying the nature, extent and frequency of the function or activity.

Granting an approval

The Commissioner must be satisfied that, for the proposed approval, the public interest in compliance with the privacy principle or data breach requirements is outweighed by the public interest in carrying out the function or activity in a way that does not comply or complies differently.

The Commissioner will take all relevant considerations into account when determining whether to grant the approval. These may include:

  • The extent to which the proposed approval sets out in detail the class or classes of personal information affected by the approval and details the activity or function, or class of activities or functions for which approval is sought.
  • Whether the proposed approval is consistent with the objects of the IP Act, taking into account the extent to which the proposed approval protects the privacy of individuals even with the waiver or modification of the privacy principle or data breach requirements, including any privacy protections which have been included in the proposed approval.
  • The extent to which the proposed approval has the potential to cause harm to individuals or to their reasonable expectations of privacy.
  • Where the proposed approval affects only the information of an identifiable group or class of people, whether the proposed approval is discriminatory or whether there has been consultation with the group.
  • The extent to which the modification of the privacy principle or data breach requirements is clearly expressed and able to be understood, and whether explanatory sections or material have been included in the proposed approval.
  • Where the proposed approval involves disclosing personal information to third parties, especially where they are outside Australia, the extent to which the information will be protected. Details of any contractual provisions or privacy legislation binding on the recipient should be included in the application.
  • Whether the agency has presented a business case that supports the proposed approval.
  • The extent to which the agency would have genuine difficulty in complying with the privacy principle or data breach requirements for the function or activity.

Approving a waiver or modification

Public interest approvals for waiver or modification are granted through publication in the Queensland Government Gazette (gazette). Agencies will be advised before publication that their waiver or modification will be approved.

The gazetted public interest approval is a statutory instrument, which means the Commissioner must table it before the Legislative Assembly within 14 sitting days of publication in the gazette. If not tabled, it will cease to have effect.

If the motion is made within 14 sitting days of the gazetted approval being tabled, the Legislative Assembly has the power to pass a resolution disallowing the approval. If the motion passes, the gazetted public interest approval will cease to have effect.

The gazetted public interest approval must also be published:

  • on the Commissioner's website; and
  • the agency's website, unless it is not practicable to do so.

Compliance notices

The Information Privacy Act 2009 (Qld) (IP Act) gives the Information Commissioner the power to issue a compliance notice to an agency where there has been a serious, flagrant or repeated contravention of a relevant obligation under the IP Act.

An agency must comply with a compliance notice but can apply to the Queensland Civil and Administration Tribunal (QCAT) for review of an Information Commissioner decision to issue the notice.

Relevant obligation

Section 158(3) of the IP Act defines relevant obligation. For agencies, a relevant obligation is the requirement to:

For bound contracted service providers, a relevant obligation is:

  • the requirement to comply with the QPPs
  • the requirement to comply with section 33, which sets the rules for disclosing personal information overseas; or
  • the requirement to comply with a QPP code issued under section 41 of the IP Act.

Issuing a compliance notice

The Information Commissioner can issue a compliance notice if the Commissioner is satisfied on reasonable grounds that an agency has done an act or engaged in a practice that is a contravention of a relevant obligation. The act or practice must:

  • be a serious or flagrant contravention; or
  • of a kind that has occurred at least five separate times within the last two years.

Flagrant is particularly concerned with how the contravention occurred; serious with the outcomes or result of the contravention.

A serious contravention

For a contravention to be serious, it must not be unimportant or trivial. The seriousness of a contravention may be determined by reference to matters such as:

  • the type of personal information involved in the contravention – the more sensitive the information, the more likely it is to be a serious contravention
  • the detriment or harm, or potential detriment or harm, of the contravention; and
  • the amount of personal information involved in the contravention.

The contravention must be such that it would cause apprehension or concern to the individuals the information is about and could have, or has had, harmful or undesired consequences.

A flagrant contravention

For a contravention to be flagrant, it must be obvious and blatant. Generally, an accidental contravention or one that occurs as a result of a genuine misunderstanding would not be a flagrant contravention. Flagrancy requires an element of deliberateness, carelessness, negligence or an obvious, wilful or deliberate disregard.

Examples of a flagrant contravention may include:

  • Where an agency has received advice that an action would constitute a breach of the QPPs and takes the action despite that advice.
  • Where an agency takes a risk management approach to complying with the QPPs that involves choosing not to follow all or some of the QPPs.
  • Where an agency undertakes an activity or project involving personal information and takes no steps, or steps that are obviously insufficient, to consider the application of the QPPs to the activity or project;  conducting a privacy impact assessment for new projects involving personal information would reduce this risk significantly.

Contravention of a kind which has occurred five times in two years

For a contravention to come within this section, the agency must have done the act at least five times in the two years prior to the matter coming to the Information Commissioner's attention.

While contraventions of this kind will often come to the Information Commissioner's attention as a result of the Commissioner receiving privacy complaints about the action, it is not necessary for the Information Commissioner to have received a complaint in order to issue a compliance notice.

Power to compel information

Under section 197 of the IP Act, if the Information Commissioner is satisfied on reasonable grounds that a person has information relevant the Commissioner’s decision to give an agency a compliance notice, the Commissioner may give the person a written notice requiring the person to:

  • give the information to the Information Commissioner in written form, or
  • attend before the Information Commissioner to answer questions.

The Information Commissioner may choose to administer an oath or affirmation to the person attending to answer questions that the person will answer the questions truthfully.

What a compliance notice can require

There are very few limitations placed on what the Information Commissioner can require an agency to do by way of a compliance notice. Section 158(2) of the IP Act provides that the compliance notice may require an agency to take a stated action, within a stated period, for the purposes of ensuring compliance with the obligation.

The action must be one which will cause the agency, once it has undertaken that action, to be in compliance with relevant obligations obligation the subject of the compliance notice, i.e., which the agency had otherwise contravened. A compliance notice could not, for example, require an agency to pay compensation to an individual whose personal information was involved in a QPP breach, or to make an apology.

There is no guidance in the IP Act as to what is a reasonable time for an agency to comply with the notice, but a reasonable time would be one which took into consideration:

  • all of the circumstances surrounding the failure to comply with the agency's obligations; and
  • what actions are required by the notice.

Relevant considerations may include:

  • the nature of the contravention – whether it is recurring, serious or flagrant
  • the likelihood that the contravention will reoccur
  • if the contravention is ongoing
  • the harm or embarrassment that is, has been, or could be caused to the people whose personal information is the subject of the contravention
  • the number of people whose personal information has been involved in the contravention
  • the sensitivity of the personal information
  • whether the contravention occurred accidentally, negligently, deliberately or in disregard of the QPPs; and
  • the difficulty of rectifying the contravention.

Complying with a compliance notice

Section 160 of the IP Act states that an agency that is given a compliance notice must take all reasonable steps to comply with the notice. The maximum penalty for non-compliance is 100 penalty units.

Failure to take all reasonable steps to comply with a compliance notice is an offence against the IP Act.

If an agency is having difficulty complying with a notice in the time given, the agency may apply  to the Information Commissioner for an extension of time in which to comply, under section 159 of the IP Act.

Applying for extra time to comply

An agency may apply for additional time to comply with a compliance notice, but that application must be made before the time allowed in the original notice has expired.

An agency may apply for a general extension or for a set number of extra days. When applying for the extension, it is important that an agency sets out why it needs the additional time and any other relevant factors, so that the Information Commissioner can properly assess the request.

If the time has expired, then an agency may not request extra time. This means it is very important that an agency advise the Office of the Information Commissioner if it is having any difficulties or issues complying with the compliance notice so that the time does not expire before the agency can apply for an extension under section 159 of the IP Act.

On receiving a request for an extension of time, the Information Commissioner may:

  • refuse the application
  • grant an extension for the length of time requested by the agency, if any
  • grant an extension of time for any other amount of time.

Before granting the extension, the agency must give the Information Commissioner an undertaking to comply with the notice within the granted extension of time.

What the Information Commissioner must do before granting extra time

Before the Information Commissioner can make a decision on an application for additional time under section 159 of the IP Act, the Information Commissioner must be satisfied that it is not reasonably practicable for the agency to comply with the notice in the time stated in the notice.

Appeals to QCAT

Under section 161, an agency which has been given a compliance notice may apply, as provided under the Queensland Civil and Administrative Tribunal Act 2009 (Qld) (QCAT Act), to QCAT for a review of the decision to give it the notice. When such an application is made, QCAT must exercise its review jurisdiction under the QCAT Act.

Time in which to apply

The time in which a review must be sought is not specified in the IP Act, but generally an agency should apply before the expiry of the time provided for compliance. To do otherwise might mean that, by the time the agency sought the review, the agency could have committed an offence under section 153 of the IP Act by not complying with the notice.

Parties to the proceedings

Where an application is made to QCAT, both the agency to which the notice was given and the Information Commissioner are parties to both the application for review and the review, if QCAT decides to conduct one.

QCAT may, on its own initiative or as a result of an application by the individual, at any time join an individual as a party to the proceedings. However, QCAT may only do this if it considers that the individual is affected by the Information Commissioner’s decision to give a compliance notice.

How QCAT may dispose of review

Under section 163 of the IP Act, if QCAT decides to review a decision of the Information Commissioner to issue a compliance notice, it may make any of the following orders:

  • confirm the initial decision to give a compliance notice
  • confirm the initial decision but substitute a compliance notice in different terms from the original
  • reverse the decision to give a compliance notice
  • revoke the notice and give the Information Commissioner directions about issuing a replacement compliance notice.

QPP codes

Chapter 3, part 1 of the IP Act provides for QPP codes. A QPP code is a written code of practice about information privacy that states:

  • how one or more of the Queensland Privacy Principles (QPPs) are to be applied or complied with; and
  • the specific agencies bound by the code, or a way of determining which agencies are bound by the code, e.g.
  • the agency which administers a specific piece of legislation.

A code can also impose additional QPP requirements, as long as they are not inconsistent with a QPP.

Agencies must comply with an applicable QPP code.

Development of a QPP code

Draft QPP codes, or draft amendments to an existing QPP code, must be submitted to the Minister for endorsement. They can be developed by the Commissioner or an agency, but the Minister must ask the Commissioner for submissions on agency drafted codes.

Before they can be submitted to the Minister, draft codes must be published on an accessible agency website for public consultation:

  • For agency drafted codes, this should generally be the agency website. If the agency does not have a website, this can be the website of another appropriate agency.
  • For Minister drafted codes, this can be the departmental website.
  • For Commissioner drafted codes, this will be the Commissioner's website.

The public must be invited to make submissions on the draft code, and it must remain open for public submissions for at least 20 business days. The agency or Commissioner must consider any submissions they receive.

Consideration should be given to extending the 20 business days where appropriate, for example, if the proposed alteration of the QPPs is extensive or will primarily impact a class of individuals. Proactive contact with relevant stakeholders, inviting submissions, will help ensure the draft QPP code strikes an appropriate balance.

Agencies must immediately inform the Commissioner if they publish a draft code.

Ministerial endorsement

Section 43 of the IP Act sets out how the Minister must deal with draft QPP codes or draft QPP code amendments submitted for endorsement. The Minister must:

  • if the draft code was submitted by an agency, ask the Commissioner for submissions on the code; and
  • consider any Commissioner submissions and any other relevant matter when deciding whether to refuse or endorse the draft code.

If the Minister endorses the draft code, they must recommend that the Governor in Council make a Regulation approving the QPP code or amended QPP code.

Commencement and expiry

A QPP code or amended QPP code does not take effect until it is approved by Regulation, and it will commence on the day stated in the Regulation.

QPP codes cannot last longer than five years. They automatically expire five years after the day the QPP code was approved by Regulation, unless there is an earlier expiry date included in the code.

Publication of QPP codes

If a QPP code or QPP code amendment is approved by Regulation, the Commissioner must publish the new or amended QPP code on the Commissioner's website. It must be published as soon as practicable after the Regulation is approved.

Print Page
Back to top