Overview of privacy rights and obligations

Introduction

The Information Privacy Act 2009 (Qld) (IP Act) provides for the protection of personal information collected and held by Queensland government agencies and provides rules for what those agencies must and may do with personal information. 

Rights of individuals

The IP Act provides individuals with a number of rights, which can be summarised as follows.

  • The right to expect agencies (which includes a Minister) to meet their privacy obligations and protect the personal information of individuals, and to make a complaint to the agency if they do not.
  • The right to make a privacy complaint to the Information Commissioner where the individual believes an agency has failed to comply with their privacy obligations and the individual believes the agency has not addressed their initial complaint.
  • If mediation is unsuccessful or the Information Commissioner does not believe that resolution of the complaint can be achieved through mediation then the complainant must be given written notice reflecting this decision. The complainant then has the right to ask the Information Commissioner to refer the privacy complaint to be heard by the Queensland Civil and Administrative Tribunal (QCAT).
  • The right, for a complainant or respondent to a privacy complaint, to request a written and certified record of a mediated agreement resolving a privacy complaint.
  • The right, for a complainant or respondent to a privacy complaint, to file a copy of a certified agreement with QCAT. 

What is an agency?

An agency (other than for chapter 3 of the IP Act) is, under section 18 of the IP Act:

  • a department
  • a Minister
  • a local government; or
  • a public authority.

Additionally, in these guidelines an agency includes a bound contracted service provider under Chapter 2, part 4 of the IP Act.

Obligations on agencies

The IP Act imposes privacy protection obligations on agencies to:

  • comply in all respects with either the Information Privacy Principles or the National Privacy Principles
  • transfer personal information outside of Australia only in compliance with section 33 of the IP Act
  • take reasonable steps to have contracted service providers adhere to the privacy principles where required by section 35 of the IP Act
  • deal with privacy complaints by individuals in a timely and responsive manner
  • comply with any compliance notice issued by the Information Commissioner
  • comply with the conditions of any public interest approval issued by the Information Commissioner under section 157 of the IP Act.

The privacy principles

The IP Act contains four sets of privacy principles: the Information Privacy Principles (IPPs), the National Privacy Principles (NPPs), the rules about transferring personal information out of Australia and the rules about bound contracted service providers. 

Information Privacy Principles (IPPs)

Schedule 3 of the IP Act contains 11 IPPs, which apply to all agencies except health agencies, dealing with:

  • collection of personal information
  • storage and security of personal information
  • providing information about personal information held by an agency
  • access to and amendment of documents containing personal information
  • accuracy and relevance of personal information
  • use of personal information; and
  • disclosure of personal information.

National Privacy Principles (NPPs)

The NPPs only apply to health agencies; there are nine NPPs, dealing with:

  • collection of personal information
  • use and disclosure of personal information
  • data quality and data security
  • openness
  • access to and amendment of documents containing personal information
  • anonymity; and
  • sensitive information.

Rules about bound contracted service providers

Chapter 2, part 4 requires an agency to take reasonable steps to make a contracted service provider subject to the privacy principles as if they were an agency.

Transfer of personal information out of Australia

Section 33 of the IP Act only permits personal information to be transferred out of Australia in specific circumstances.

Waiver or modification of the privacy principles

Section 157 of the IP Act gives the Information Commissioner the power to approve the waiver or modification of an agency’s obligation to comply with the privacy principles where it is in the public interest to do so (public interest approvals).

The public interest approval may be given on a temporary basis or on an ‘until revoked’ basis, but it will only be granted where the Commissioner is satisfied that the waiver or modification is more strongly in the public interest than compliance with the principles. 

Privacy complaints

Where an individual believes an agency has breached the privacy principles or a public interest approval in relation to their personal information, they may make a privacy complaint. It must be made in the first instance to the agency, and the agency must be given a reasonable time—at least 45 business days—to respond to the complaint. 

If the complaint to the agency has not been resolved to the individual’s satisfaction, the individual may then make the complaint to the Information Commissioner. If the complaint is accepted, it will be mediated, if deemed appropriate. If mediation is not successful, the complainant may then request it be referred to QCAT.

Compliance notices

Where an agency has acted in a way that is a serious or a flagrant contravention of the obligation to comply with the privacy principles, or the contravention is of a kind that has been done by the agency at least five times within the past two years, the Information Commissioner may issue it with a compliance notice.

A compliance notice may require an agency to take action within a set amount of time to ensure compliance with the principles. The agency must comply with the notice, although it may seek an extension of time and/or appeal the decision to issue the notice to QCAT.

Current as at: July 19, 2013