Published on Office of the Information Commissioner Queensland (https://www.oic.qld.gov.au)

Home Guidelines  >  For government  >  Guidelines - Privacy principles  >  Privacy compliance  >  Compliance notices

Compliance notices

Overview

The Information Privacy Act 2009 (Qld) (IP Act) gives the Information Commissioner the power to issue a compliance notice to an agency1 where there has been a serious, flagrant or repeated contravention of a relevant obligation under the IP Act.2

An agency must comply with a compliance notice3 but can apply to the Queensland Civil and Administration Tribunal (QCAT) for review of an Information Commissioner decision to issue the notice.4

Relevant obligation

Section 158(3) of the IP Act defines relevant obligation. For agencies, a relevant obligation is the requirement to:

  • comply with the Queensland Privacy Principles (QPPs)
  • comply with section 33, which sets the rules for disclosing personal information overseas
  • comply with chapter 2, part 3 to bind certain contracted service providers to the IP Act
  • comply with mandatory data breach obligations under chapter 3A, part 2 or 3 of the IP Act
  • comply with a direction given to the agency under section 61(2) of the IP Act; or
  • keep a data breach register or publish a data breach policy under section 72 and 73 of the IP Act.

For bound contracted service providers, a relevant obligation is:

  • the requirement to comply with the QPPs
  • the requirement to comply with section 33, which sets the rules for disclosing personal information overseas; or
  • the requirement to comply with a QPP code issued under section 41 of the IP Act.

Issuing a compliance notice

The Information Commissioner can issue a compliance notice if the Commissioner is satisfied on reasonable grounds that an agency has done an act or engaged in a practice that is a contravention of a relevant obligation. The act or practice must:5

  • be a serious or flagrant contravention; or
  • of a kind that has occurred at least five separate times within the last two years.

'Flagrant' is particularly concerned with how the contravention occurred; 'serious' with theoutcomes or result of the contravention.

A serious contravention

For a contravention to be serious, it must not be unimportant or trivial. The seriousness of a contravention may be determined by reference to matters such as:

  • the type of personal information involved in the contravention – the more sensitive the information, the more likely it is to be a serious contravention
  • the detriment or harm, or potential detriment or harm, of the contravention; and
  • the amount of personal information involved in the contravention.

The contravention must be such that it would cause apprehension or concern to the individuals the information is about and could have, or has had, harmful or undesired consequences.

A flagrant contravention

For a contravention to be flagrant, it must be obvious and blatant. Generally, an accidental contravention or one that occurs as a result of a genuine misunderstanding would not be a flagrant contravention. Flagrancy requires an element of deliberateness, carelessness, negligence or an obvious, wilful or deliberate disregard.

Examples of a flagrant contravention may include:

  • Where an agency has received advice that an action would constitute a breach of the QPPs and takes the action despite that advice.
  • Where an agency takes a risk management approach to complying with the QPPs that involves choosing not to follow all or some of the QPPs.
  • Where an agency undertakes an activity or project involving personal information and takes no steps, or steps that are obviously insufficient, to consider the application of the QPPs to the activity or project;  conducting a privacy impact assessment for new projects involving personal information would reduce this risk significantly.

Contravention of a kind which has occurred five times in two years

For a contravention to come within this section, the agency must have done the act at least five times in the two years prior to the matter coming to the Information Commissioner's attention.

While contraventions of this kind will often come to the Information Commissioner's attention as a result of the Commissioner receiving privacy complaints about the action, it is not necessary for the Information Commissioner to have received a complaint in order to issue a compliance notice.

Power to compel information

Under section 197 of the IP Act, if the Information Commissioner is satisfied on reasonable grounds that a person has information relevant the Commissioner’s decision to give an agency a compliance notice, the Commissioner may give the person a written notice requiring the person to:

  • give the information to the Information Commissioner in written form, or
  • attend before the Information Commissioner to answer questions.

The written notice must state:

  • where the person should give the information to the Information Commissioner – a place it can be sent, for written information, or the place the person should attend to answer questions; and
  • a reasonable time for the person to provide the written information, or a reasonable time at which the person should attend to answer questions.

The Information Commissioner may choose to administer an oath or affirmation to the person attending to answer questions that the person will answer the questions truthfully.

What a compliance notice can require

There are very few limitations placed on what the Information Commissioner can require an agency to do by way of a compliance notice. Section 158(2) of the IP Act provides that the compliance notice may require an agency to take a stated action, within a stated period, for the purposes of ensuring compliance with the obligation.

The action must be one which will cause the agency, once it has undertaken that action, to be in compliance with relevant obligations obligation the subject of the compliance notice, i.e., which the agency had otherwise contravened. A compliance notice could not, for example, require an agency to pay compensation to an individual whose personal information was involved in a QPP breach, or to make an apology.

There is no guidance in the IP Act as to what is a reasonable time for an agency to comply with the notice, but a reasonable time would be one which took into consideration:

  • all of the circumstances surrounding the failure to comply with the agency's obligations; and
  • what actions are required by the notice.

Relevant considerations may include:

  • the nature of the contravention – whether it is recurring, serious or flagrant
  • the likelihood that the contravention will reoccur
  • if the contravention is ongoing
  • the harm or embarrassment that is, has been, or could be caused to the people whose personal information is the subject of the contravention
  • the number of people whose personal information has been involved in the contravention
  • the sensitivity of the personal information
  • whether the contravention occurred accidentally, negligently, deliberately or in disregard of the QPPs; and
  • the difficulty of rectifying the contravention.

Complying with a compliance notice

Section 160 of the IP Act states that an agency that is given a compliance notice must take all reasonable steps to comply with the notice. The maximum penalty for non-compliance is 100 penalty units.

Failure to take all reasonable steps to comply with a compliance notice is an offence against the IP Act.

If an agency is having difficulty complying with a notice in the time given, the agency may apply  to the Information Commissioner for an extension of time in which to comply, under section 159 of the IP Act.

Applying for extra time to comply

An agency may apply for additional time to comply with a compliance notice, but that application must be made before the time allowed in the original notice has expired.

An agency may apply for a general extension or for a set number of extra days. When applying for the extension, it is important that an agency sets out why it needs the additional time and any other relevant factors, so that the Information Commissioner can properly assess the request.

If the time has expired, then an agency may not request extra time. This means it is very important that an agency advise the Office of the Information Commissioner if it is having any difficulties or issues complying with the compliance notice so that the time does not expire before the agency can apply for an extension under section 159 of the IP Act.

On receiving a request for an extension of time, the Information Commissioner may:

  • refuse the application
  • grant an extension for the length of time requested by the agency, if any
  • grant an extension of time for any other amount of time.

Before granting the extension, the agency must give the Information Commissioner an undertaking to comply with the notice within the granted extension of time.

What the Information Commissioner must do before granting extra time

Before the Information Commissioner can make a decision on an application for additional time under section 159 of the IP Act, the Information Commissioner must be satisfied that it is not reasonably practicable for the agency to comply with the notice in the time stated in the notice.

'Reasonably practicable' is discussed in Key privacy concepts – practicable and impracticable but generally 'not practicable' does not simply mean difficult or undesirable.

To be impracticable or not practicable, the action must be nearly impossible or extremely difficult to carry out within the time provided. The fact that compliance within the time set out in the compliance notice would be inconvenient or would involve expenditure of some effort or resources would not be sufficient to meet the threshold of ‘not reasonably practicable’.

Appeals to QCAT

Under section 161, an agency which has been given a compliance notice may apply, as provided under the Queensland Civil and Administrative Tribunal Act 2009 (Qld) (QCAT Act), to QCAT for a review of the decision to give it the notice. When such an application is made, QCAT must exercise its review jurisdiction under the QCAT Act.

Time in which to apply

The time in which a review must be sought is not specified in the IP Act, but generally an agency should apply before the expiry of the time provided for compliance. To do otherwise might mean that, by the time the agency sought the review, the agency could have committed an offence under section 153 of the IP Act by not complying with the notice.

Parties to the proceedings

Where an application is made to QCAT, both the agency to which the notice was given and the Information Commissioner are parties to both the application for review and the review, if QCAT decides to conduct one.

QCAT may, on its own initiative or as a result of an application by the individual, at any time join an individual as a party to the proceedings. However, QCAT may only do this if it considers that the individual is affected by the Information Commissioner’s decision to give a compliance notice.

How QCAT may dispose of review

Under section 163 of the IP Act, if QCAT decides to review a decision of the Information Commissioner to issue a compliance notice, it may make any of the following orders:

  • confirm the initial decision to give a compliance notice
  • confirm the initial decision but substitute a compliance notice in different terms from the original
  • reverse the decision to give a compliance notice
  • revoke the notice and give the Information Commissioner directions about issuing a replacement compliance notice.
  • 1 Agency include a Minister, bound contracted service provider, or other entity subject to the IP Act unless otherwise indicated.
  • 2 Section 158 of the IP Act.
  • 3 Section 160 of the IP Act.
  • 4 Section 161 of the IP Act.
  • 5 Section 158(1)(b)(i) and (ii) of the IP Act.

Current as at: July 1, 2025