QPP Codes and privacy waivers

Queensland government agencies¹ are required to deal with personal information in compliance with the Information Privacy Act 2009 (Qld) (IP Act), which provides for the fair collection and handling of personal information.

There can, however, be situations where agencies have a legitimate need to deal with personal information in unique ways that do not easily fit with the IP Act. If this happens:

• the Information Commissioner (the Commissioner) has the power to grant a waiver or modification of an agency's privacy obligations; and
• the Minister has the power to endorse a QPP code for approval via Regulation.

Waiver or modification of privacy principle or data breach requirements

Under section 157 of the IP Act, an agency or a bound contracted service provider can apply to the Commissioner for an approval that waives or modifies:

• the privacy principle requirements, i.e. the Queensland Privacy Principles (QPPs), the overseas disclosure rules in section 33, and chapter 2, part 3 of the IP Act; or
• for agencies and Ministers only, the mandatory data breach assessment and notification requirements in chapter 3A, parts 2 or 3 of the IP Act, or the requirements to keep a data breach register and publish a data breach policy (data breach requirements).

Waiver or modification will only be granted if the public interest in not complying with the privacy principle or data breach requirements outweighs the public interest in compliance.

How to apply

The application for waiver or modification must be accompanied by a detailed plan of the proposed agency actions and the steps it will follow to protect individual privacy interests if the waiver or modification is approved. A Privacy Impact Assessment may assist in preparing this plan.

If several agencies will be relying on the waiver or modification, e.g., because of a similarity of functions or participation in an interagency project, they should contact the OIC to ascertain if the application should be joint or separate applications will be required.

The waiver or modification being sought must only go as far as is necessary to permit the function or activity the agency wishes to undertake. For example:

• the agency should not seek an approval to not follow QPP 3 in relation to all its activities, when it only needs the waiver in relation to a specific project; and
• an agency should not seek an indefinite approval when the function or activity will only last for a set amount of time.

The agency must explain in detail why the public interest in noncompliance outweighs the public interest in compliance and provide any supporting evidence. If the agency is seeking an indefinite approval, it must make a strong case for why an approval for a set amount of time will not be sufficient.

If applying for modification, the agency must also set out the modified way in which it will comply with the privacy principle or data breach requirements.

An agency's application for waiver or modification should include a proposed approval. A proposed approval should address all relevant issues, for example:

• identifying the specific privacy principle or data breach requirements the agency is seeking to waive or modify
• providing a detailed and precise description of the personal information involved, including whether it is sensitive information or, for health agencies, health information
• providing a detailed and precise description of the functions or activities involved
• identifying any class of individuals whose personal information will be affected by the approval
• setting out the details of any other agencies who are involved with, or which will be affected by, the proposed approval
• setting out detailed and specific reasons why the public interest in granting the proposed approval outweighs the public interest in the agency complying with the privacy principle or data breach requirements
• setting out any alternative methods the agency has considered or attempted in order to carry out the function or activity in a way that complies with the privacy principle or data breach requirements; and
• identifying the nature, extent and frequency of the function or activity.

Granting an approval

The Commissioner must be satisfied that, for the proposed approval, the public interest in compliance with the privacy principle or data breach requirements is outweighed by the public interest in carrying out the function or activity in a way that does not comply or complies differently.

The Commissioner will take all relevant considerations into account when determining whether to grant the approval. These may include:

• The extent to which the proposed approval sets out in detail the class or classes of personal information affected by the approval and details the activity or function, or class of activities or functions for which approval is sought.
• Whether the proposed approval is consistent with the objects of the IP Act, taking into account the extent to which the proposed approval protects the privacy of individuals even with the waiver or modification of the privacy principle or data breach requirements, including any privacy protections which have been included in the proposed approval.
• The extent to which the proposed approval has the potential to cause harm to individuals or to their reasonable expectations of privacy.
• Where the proposed approval affects only the information of an identifiable group or class of people, whether the proposed approval is discriminatory or whether there has been consultation with the group.
• The extent to which the modification of the privacy principle or data breach requirements is clearly expressed and able to be understood, and whether explanatory sections or material have been included in the proposed approval.
• Where the proposed approval involves disclosing personal information to third parties, especially where they are outside Australia, the extent to which the information will be protected. Details of any contractual provisions or privacy legislation binding on the recipient should be included in the application.
• Whether the agency has presented a business case that supports the proposed approval.
• The extent to which the agency would have genuine difficulty in complying with the privacy principle or data breach requirements for the function or activity.

Approving a waiver or modification

Public interest approvals for waiver or modification are granted through publication in the Queensland Government Gazette (gazette). Agencies will be advised before publication that their waiver or modification will be approved.

The gazetted public interest approval is a statutory instrument,² which means the Commissioner must table it before the Legislative Assembly within 14 sitting days of publication in the gazette. If not tabled, it will cease to have effect.

If the motion is made within 14 sitting days of the gazetted approval being tabled, the Legislative Assembly has the power to pass a resolution disallowing the approval. If the motion passes, the gazetted public interest approval will cease to have effect.

The gazetted public interest approval must also be published:

• on the Commissioner's website; and
• the agency's website, unless it is not practicable to do so.

QPP codes

Chapter 3, part 1 of the IP Act provides for QPP codes. A QPP code is a written code of practice about information privacy that states:

• how one or more of the QPPs are to be applied or complied with; and
• the specific agencies bound by the code, or a way of determining which agencies are bound by the code, e.g.
• the agency which administers a specific piece of legislation.

A code can also impose additional QPP requirements, as long as they are not inconsistent with a QPP.

Agencies must comply with an applicable QPP code.

Development of a QPP code

Draft QPP codes, or draft amendments to an existing QPP code, must be submitted to the Minister³ for endorsement. They can be developed by the Commissioner or an agency, but the Minister must ask the Commissioner for submissions on agency drafted codes.

Before they can be submitted to the Minister, draft codes must be published on an accessible agency website for public consultation:

• For agency drafted codes, this should generally be the agency website. If the agency does not have a website, this can be the website of another appropriate agency.
• For Minister drafted codes, this can be the departmental website.
• For Commissioner drafted codes, this will be the Commissioner's website.

The public must be invited to make submissions on the draft code, and it must remain open for public submissions for at least 20 business days. The agency or Commissioner must consider any submissions they receive.

Consideration should be given to extending the 20 business days where appropriate, for example, if the proposed alteration of the QPPs is extensive or will primarily impact a class of individuals. Proactive contact with relevant stakeholders, inviting submissions, will help ensure the draft QPP code strikes an appropriate balance.

Agencies must immediately inform the Commissioner if they publish a draft code.

Ministerial endorsement

Section 43 of the IP Act sets out how the Minister must deal with draft QPP codes or draft QPP code amendments submitted for endorsement. The Minister must:

• if the draft code was submitted by an agency, ask the Commissioner for submissions on the code; and
• consider any Commissioner submissions and any other relevant matter when deciding whether to refuse or endorse the draft code.

If the Minister endorses the draft code, they must recommend that the Governor in Council make a Regulation approving the QPP code or amended QPP code.

Commencement and expiry

A QPP code or amended QPP code does not take effect until it is approved by Regulation, and it will commence on the day stated in the Regulation.

QPP codes cannot last longer than five years. They automatically expire five years after the day the QPP code was approved by Regulation, unless there is an earlier expiry date included in the code.

Publication of QPP codes

If a QPP code or QPP code amendment is approved by Regulation, the Commissioner must publish the new or amended QPP code on the Commissioner's website. It must be published as soon as practicable after the Regulation is approved.