Basic guide to the QPPs
The Queensland Privacy Principles (QPPs) in the Information Privacy Act 2009 (Qld) (IP Act) set the rules for how agencies1 deal with personal information.
This guideline provides a quick reference to the QPPs. For detailed information, please refer to the relevant QPP guideline. This guideline is based on and includes material from the Australian Privacy Principle guidelines developed by the Office of the Australian Information Commissioner.
Numbering of the QPPs
The QPPs are based on the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth).
The QPPs follow the APP numbering, but not all APPs were implemented in the IP Act. As a result, the IP Act simply notes that some QPPs, eg, QPPs 7 and 8 are not used.
Note: requirements similar to APP 8 are contained in section 33 of the IP Act.
QPP 1 — Open and transparent management of personal information
Requires agencies to manage personal information in an open and transparent way.
Requires a clear, up-to-date and accessible QPP privacy policy, and practices and procedures to ensure QPP compliance.
QPP 2 — Anonymity and pseudonymity
Requires agencies to allow individuals the option of not identifying themselves (i.e. to deal with the agency anonymously or pseudonymously) unless it is:
- required or authorised under law, or
- impracticable.
QPP 3 — Collection of solicited personal information
Provides that agencies:
- can only collect personal information that is reasonably necessary for, or directly related to, one of their functions or activities
- must collect it lawfully and fairly, and
- must collect it from the individual unless an exemption applies (including consent, lawful authority/requirement and law enforcement),or it is unreasonable or impracticable to do so.
Higher standards apply to the collection of sensitive information.
Personal information is only collected if the agency solicits it, ie, they ask someone for it or otherwise takes active steps to acquire it. Unsolicited personal information sent to an agency is not collected and must be assessed under QPP 4.
QPP 4 — Dealing with unsolicited personal information
Requires agencies to assess unsolicited personal information to determine whether they could have collected it under QPP 3 and/or whether it is a public record. If not, agencies may be required to destroy or de-identify unsolicited personal information, subject to public record laws. Otherwise, QPPs 5 to 13 apply.
QPP 5 — Notification of the collection of personal information
Requires agencies that collect personal information to take reasonable steps to make sure individuals are aware of the matters listed in QPP 5 including agency contact details, the fact and circumstances of the collection if collected from someone other than the individual and the consequences if the information is not collected.
This applies when personal information is collected from an individual or from a third party.
Agencies do not need to provide a formal QPP 5 notice. The QPP 5 matters can be communicated in other ways, for example, informally or verbally.
QPP 6 — Use or disclosure of personal information
Agencies can only use or disclose personal information for the reason it was collected, unless QPP 6 allows it to be used or disclosed for a secondary purpose. These include:
- instances where the individual has consented to the use of disclosure of the information
- the individual would reasonably expect the agency to use or disclose the information for the secondary purpose (subject to limitations)
- where it is required or authorised by law or reasonably necessary for law enforcement activities
- permitted general situations such as lessening or preventing a serious threat or locating a missing person (set out in schedule 4, part 1 of the IP Act), and permitted health situations (set out in schedule 4, part 2 of the IP Act).
QPP 10 — Quality of personal information
Requires agencies to take reasonable steps to ensure the personal information:
- they collect, use, or disclose is accurate, up to date, complete, and
- for use or disclosure, is relevant to the purpose of the use or disclosure.
QPP 11 — Security of personal information
Requires agencies to take reasonable steps to protect the personal information it holds from
- misuse, interference or loss, and
- unauthorised access, modification or disclosure.
Requires agencies to take reasonable steps to destroy or deidentify personal information that is no longer needed for any purpose and is not a public record or otherwise required to be retained under law or court or tribunal order.
QPP 12 and QPP 13 — Access to and correction of personal information
Requires agencies to give access to and correct personal information they hold, subject to limitations.
- 1 References to an agency in this guideline include a Minister, bound contracted service provider, or other entity required to comply with the QPPs.
Current as at: July 1, 2025