How to make a privacy complaint - a guide for individuals

This information sheet explains how to make a privacy complaint under the Information Privacy Act 2009 (Qld) (IP Act) if you believe a Queensland department, local government Council, public hospital, public university, statutory body or one of their contractors has breached your privacy.

These are called agencies in this information sheet.

What can I complain about?

You can complain about something the agency did that involved your personal information if you think they didn't follow the rules in the IP Act.

You can't complain about someone else's personal information, unless:

• you're a parent making a complaint for your child about the child's personal information; or
• you have been authorised by someone else to make a complaint for them about their personal information.

What is personal information?

Personal information is any information about an individual identified in the information or whose identity can reasonably be worked out. It does not need to be true, written down, sensitive or 'important' to be personal information.

If the information is about you, it is your personal information.

What does the IP Act say?

The IP Act says that agencies have to follow the rules in the IP Act when they handle your personal information. The rules are:

• The Queensland Privacy Principles (QPPs) – the QPPs say how agencies need to collect, store, secure, use, disclose and dispose of personal information. You can read about them in the Basic guide to the QPPs.
• The disclosure out of Australia rules in section 33 – section 33 says that an agency can only give your personal information to someone outside Australia if they follow certain rules, like making sure it's protected or with your permission or because another law said they could.
• The contractor rules in chapter 2, part 3 of the IP Act – they mean agencies agency must try and make some kinds of contractors comply with the IP Act.
• The data breach notification rules in chapter 3A of the IP Act – they mean agencies have to tell you if an eligible data breach involves your personal information. Not every data breach is an eligible data breach and there are some exceptions. This rule does not apply to contractors and will not apply to local government Councils until July 2026.

The rules in the IP Act lets agencies use and disclose personal information for reasons like:

• sharing it with other agencies to prevent a threat or to assist with law enforcement activities
• because another law or a court says they can or must, or as part of court proceedings; or
• because what they're doing with the personal information is related to the reason they collected it in the first place.

What if I think the agency didn't follow the rules with my personal information?

If you think an agency didn't follow the IP Act's rules with your personal information, you can make privacy complaint to that agency.

If you're not sure whether you can make a privacy complaint, or whether the rules have been followed, you could contact the agency's privacy team and talk to them about it.

How do I make a privacy complaint to the agency?

You must make your privacy complaint in writing, but if you have difficulties doing so, for example because of a disability, the agency will help you put it in writing.

You must make your privacy complaint to the agency within 12 months of becoming aware that there may have been a breach of the rules in the IP Act.

You must describe what the agency did with your personal information that you think broke the rules in the IP Act.

You must include an address the agency can use to send you a response to your complaint.

It can be helpful to think about what you want the agency to do in response to your complaint. This might be an acknowledgement or an apology, or information about how the agency will stop it from happening again.

When does the agency have to respond to my privacy complaint?

They agency has at least 45 business days to respond to your complaint, but they can ask you for extra time. You do not have to agree, but if you don't refuse, the agency can keep working on your privacy complaint.

If the agency does not give you a response in time, you can bring your complaint to the Office of the information Commissioner (OIC).

What if I'm not happy with the response?

If you aren't happy with the agency's response, you can bring your privacy complaint to the OIC.

How do I bring my complaint to the OIC?

If the agency runs out of time to give you a response, or if you get a response you're not happy with, you can make a complaint to the OIC. You can't bring your privacy complaint to the OIC unless one of those things happens.

The checklist at the end of this information sheet will help you work it out.

Your complaint must be in writing, but if you have difficulties, for example due to a disability, the OIC can assist you to put it in writing.

You must describe what the agency did with your personal information that you think broke the rules in the IP Act. You should also include the date you made your complaint to the agency. It's helpful if you include a copy of the original complaint and any correspondence between you and the agency.

You must include an address the OIC can use to send you correspondence about to your complaint.

You can use the online privacy complaint form or send us an email or a letter with your complaint.

The form can be found here https://www.oic.qld.gov.au/about/privacy/make-a-privacy-complaint-2

You can send post or an email to:

Attention: Privacy Team        
Office of the Information Commissioner        
PO Box 10143
Adelaide Street          
BRISBANE  QLD  4001

administration@oic.qld.gov.au

Checklist

If you answered no to any of these questions, you cannot bring your privacy complaint to the OIC.