The Information Privacy Act 2009 (Qld) (IP Act) provides for the protection of personal information collected and held by Queensland government agencies and provides rules for what those agencies must and may do with personal information.
The IP Act provides individuals with a number of rights, which can be summarised as follows.
An agency (other than for chapter 3 of the IP Act) is, under section 18 of the IP Act:
Additionally, in these guidelines an agency includes a bound contracted service provider under Chapter 2, part 4 of the IP Act.
The IP Act imposes privacy protection obligations on agencies to:
The IP Act contains four sets of privacy principles: the Information Privacy Principles (IPPs), the National Privacy Principles (NPPs), the rules about transferring personal information out of Australia and the rules about bound contracted service providers.
Schedule 3 of the IP Act contains 11 IPPs, which apply to all agencies except health agencies, dealing with:
The NPPs only apply to health agencies; there are nine NPPs, dealing with:
Chapter 2, part 4 requires an agency to take reasonable steps to make a contracted service provider subject to the privacy principles as if they were an agency.
Section 33 of the IP Act only permits personal information to be transferred out of Australia in specific circumstances.
Section 157 of the IP Act gives the Information Commissioner the power to approve the waiver or modification of an agency’s obligation to comply with the privacy principles where it is in the public interest to do so (public interest approvals).
The public interest approval may be given on a temporary basis or on an ‘until revoked’ basis, but it will only be granted where the Commissioner is satisfied that the waiver or modification is more strongly in the public interest than compliance with the principles.
Where an individual believes an agency has breached the privacy principles or a public interest approval in relation to their personal information, they may make a privacy complaint. It must be made in the first instance to the agency, and the agency must be given a reasonable time—at least 45 business days—to respond to the complaint.
If the complaint to the agency has not been resolved to the individual’s satisfaction, the individual may then make the complaint to the Information Commissioner. If the complaint is accepted, it will be mediated, if deemed appropriate. If mediation is not successful, the complainant may then request it be referred to QCAT.
Where an agency has acted in a way that is a serious or a flagrant contravention of the obligation to comply with the privacy principles, or the contravention is of a kind that has been done by the agency at least five times within the past two years, the Information Commissioner may issue it with a compliance notice.
A compliance notice may require an agency to take action within a set amount of time to ensure compliance with the principles. The agency must comply with the notice, although it may seek an extension of time and/or appeal the decision to issue the notice to QCAT.
Current as at: July 19, 2013