QPP Privacy Policy

1. Purpose

The Information Privacy Act 2009 (Qld) (IP Act) and its Queensland Privacy Principles (QPPs) set the rules for how Queensland government agencies – including the Office of the Information Commissioner (OIC) – handle personal information. These rules include a requirement, under QPP 1, that every agency have a QPP privacy policy.
Our QPP privacy policy explains how we manage personal information, including:

  1. the kinds of personal information we collect and hold, how we collect and hold that personal information, and the purposes for which we collect, hold, use and disclose personal information
  2. how you may complain about our handling of your personal information, and how we will deal with the complaint.

2. Scope

This policy applies to all OIC Commissioners, staff and contractors, and to the personal information we collect, store, manage, use and disclose in discharging most of our statutory functions.

These functions are set out in the IP Act and Right to Information Act 2009 (Qld) (RTI Act). Not all of these functions are subject to the obligations imposed by the QPPs, due to certain exclusions set out in the IP Act. These exclusions include, for example, quasi-judicial functions. OIC’s RTI external review function is quasi-judicial. This means the obligations imposed by the QPPs do not apply to our external review function.

3. Collection of personal information

The definition of ‘personal information’ is set out in the ‘Definitions’ in paragraph 10.

OIC collects personal information required to exercise our statutory functions and meet our legal obligations. We may collect this personal information in writing or by recording information provided verbally.

We collect personal information directly from individuals who access our services and indirectly from third parties as part of carrying out our functions. These functions include:

  • Dealing with applications for the external review of agency decisions under the RTI Act.
  • Dealing with privacy complaints made under the IP Act.
  • Conducting its regulatory functions, for example conducting an audit or review, or assessing an agency’s compliance with the Mandatory Notification of Data Breach (MNDB) Scheme or whether to issue a compliance notice under the IP Act.
  • Conducting audits or reviews of agency practices and compliance with the RTI and IP Act.
  • Investigating agency compliance with the QPPs and the MNDB scheme
  • Responding to enquiries from the public and agencies.

We also collect personal information to carry out our business functions, e.g. human resources management and recruitment processes.

The kind of personal information we collect from individuals directly includes names, contact details, details of individuals’ interactions with other agencies, and details about their concerns or complaints with an agency or a decision or action taken by an agency, and reasonable accommodations required by individuals (i.e. assistance requirements). This information may be collected, for example, when someone:

  • applies for external review of an agency decision under the RTI Act
  • makes a privacy complaint
  • contacts our Enquiries service to request information or assistance; or
  • notifies OIC about a data breach.

OIC may also collect personal information directly during, for example, an external review, while dealing with a privacy complaint, or undertaking an audit, review or investigation in accordance with its statutory powers.

Due to the nature of OIC’s statutory functions, we may indirectly collect any kind of personal information which can be recorded in an agency document, for example, when it conducts an audit, carries out an external review, mediates a privacy complaint, assesses a data breach, or undertakes an investigation in accordance with its statutory powers.

OIC may also collect personal information such as individuals’ names and contact details to organise meetings with OIC Commissioners or staff or when offering training and other engagement activities, including via our website and learning management system.

3.1 Sensitive information

We may also collect sensitive information. The definition of ‘sensitive information’ is set out in the ‘Definitions’ in paragraph 10.

We will generally only collect sensitive information directly from the individual it is about or with their consent, or otherwise consistently with our obligations under the IP Act. The kinds of personal information (including sensitive information) we collect and hold are set out in the table below.

OIC functionKind of personal information, how and why we collect that personal information
External review

OIC collects and holds personal information about people who apply for an external review of a decision made under the RTI Act. This includes names, contact details, the agency or Minister they applied to and details of their application.

As part of conducting an external review, OIC may acquire copies of documents that are relevant to the external review, which can contain personal information of the external review applicant and unrelated third parties. OIC may also ask the applicant or relevant third parties to provide information in order to progress and finalise the review, including their views, opinions, and relevant background information. A failure to provide this information will mean the OIC is unable to take such information into account in the external review.

OIC may also collect and hold information about reasonable accommodations required by an external review participant.

Privacy Complaints and Notification of Data Breaches

OIC collects and holds information about individuals who make privacy complaints to the OIC, which includes names, contact details, the personal information the subject of the complaint and what resolution the complainant is seeking. A failure to provide this information may mean the OIC is unable to conduct preliminary enquiries to determine if we can deal with the privacy complaint, and if accepted, mediate the privacy complaint.

OIC may also hold records of the OIC’s mediation, correspondence between the individual and the agency which allegedly breached their privacy, and information about reasonable accommodations required by a privacy complainant.

OIC collects and holds information about data breaches notified by agencies to the OIC voluntarily or under the mandatory notification of data breach scheme, including details of the breach itself. This information may include personal and sensitive information about individuals impacted by the data breach.

The customer relationship management / case management system is managed and secured by Salesforce. Salesforce’s privacy policy can be found here - Privacy Policy - Salesforce ANZ

Regulatory Audits, Reviews and InvestigationsOIC holds obtains documents from agencies the subject of an audit, review or investigation relevant to the matters or issues under examination. These documents may include personal information which relates to the functions of the agency being audited, their staff and, in some circumstances the personal information of persons who have had contact with and provided their personal information to the agency.
Information and Assistance

OIC collects and holds personal information about people who contact the OIC Enquiries Service by phone, post, or email. This information may include names, contact details, and the enquirer’s circumstances which led to or are relevant to their enquiry; this can include sensitive personal information, opinions about other people, and expressions of dissatisfaction.

OIC may also collect and hold information about reasonable accommodations required by an enquirer.

The customer relationship management / case management system is managed and secured by Salesforce. Salesforce’s privacy policy can be found here - Privacy Policy - Salesforce ANZ

Human Resources

OIC collects and holds personal information about OIC’s staff and relevant to their employment at OIC, including their contact details, date of birth, tax file number, qualifications, work history, required reasonable accommodations, entitlements, and next of kin and/or emergency contacts.

Payroll and leave are managed for OIC by Aurion as part of a service level agreement.

Complaints about the OICOIC collects and holds personal information about people who make complaints to the OIC about our services, including their names, contact details, interactions with the OIC, expressions of dissatisfaction, investigation into the complaint and the outcome of the complaint.
Recruitment and ContractorsOIC collects and holds personal information about people who apply to work at the OIC. This includes names, contact details, application documentation, identification information, assessments for suitability, referees and references.
Information collected through OIC’s website

OIC’s public website www.oic.qld.gov.au is hosted in Australia and OIC does not generally collect personal information about site visitors. OIC’s web measurement tools and Internet Service Providers record only anonymous information about site visitors for statistical purposes including:

  • server and IP address
  • the name of the top-level domain (for example, .gov, .com, .edu, .au)
  • type of browser used
  • date and time the site was accessed
  • pages accessed and documents downloaded
  • the previous site visited.

OIC collects personal information through our website where it is provided by individuals who subscribe to our electronic mailing lists or use an online form (e.g. to register to participate in training or events, apply for external review, or lodge a privacy complaint).

SurveysOIC may invite external review applicants and privacy complainants to complete voluntary surveys at the conclusion of a process for the purpose of gauging satisfaction with our services. OIC uses Survey Monkey for these purposes. If you agree to participate in our surveys, we will collect and hold your personal information by way of Survey Monkey (including holding that information overseas, in the Republic of Ireland via Survey Monkey UC). Survey Monkey’s privacy policy can be found here - Privacy Policy - Survey Monkey
Mailing list subscriptionOIC’s website subscription service is delivered by Vision6. A subscriber's email address is collected by Vision6 to deliver requested news, updates and alerts. You can read the Vision6 Privacy Policy here - Privacy Policy - Vision6
Event registrationOIC collects information, including personal information such as contact information, that you provide to us when registering to attend our events.
Social media platformsOIC uses YouTube and LinkedIn to communicate with the public about its work and to raise awareness of the RTI and IP Acts. When individuals communicate with OIC via these social media platforms, we collect any personal information you provide when you communicate with us.
YouTube and LinkedIn each have their own privacy policies.
Online training coursesContact details are collected by people undertaking OIC's online training courses for the purposes of awarding a certificate of completion and seeking course evaluation feedback. OIC also uses information about course participation to monitor the effectiveness of our training course and to inform higher-level general reports on our training activities. These reports do not include personal information and are published as part of OIC’s accountability reporting obligations.
Google Analytics

OIC uses Google Analytics to gather statistics about how its website is accessed. Google Analytics uses cookies to gather information for the purpose of providing statistical reporting on website usage.

The information generated by a cookie is transmitted to and stored by Google on servers located outside Australia. No personally identifying information is recorded or provided to Google. If you are logged in to OIC’s website, information about your user account is not linked to data recorded by Google Analytics and is not provided to Google.

Information gathered using the Google Analytics includes:

  • the number of visitors to OIC’s website
  • how visitors arrive at OIC’s website, for example, did they type the address in directly, follow a link from another webpage, or arrive via a search engine
  • the number of times each page is viewed and for how long
  • time and date of visit
  • geographical location of the visitor
  • information about what browser was used to view the OIC’s website and the operating system of the computer
  • information about whether the browser supports Java and Flash; and
  • the speed of the user's internet connection.

You can read Google’s Privacy Policy here -  Privacy Policy - Google

4. Use and disclosure of personal information

OIC uses and discloses personal information for the purpose for which the personal information was collected, including:

  1. exercising our powers or performing our statutory functions and duties, such as dealing with RTI external review applications, mediating privacy complaints or responding to enquiries
  2. managing associated business processes, such as recruitment and human resources administration.

We may also use or disclose personal information for secondary or alternative purposes as permitted under the IP Act. This may include where we are authorised or required under Australian law (including to meet our procedural fairness obligations), with your consent, or where you would reasonably expect us to use or disclose for a related – or in the case of sensitive information, directly related – secondary purpose.

This may include disclosure to a court or tribunal, for example where a privacy complaint is referred to the Queensland Civil and Administrative Tribunal, an external review decision is appealed, or in response to a judicial review application under the Judicial Review Act 1991 (Qld).

5. Access and correction of personal information

Access and correction rights are contained in the RTI Act. With the exception of OIC staff applying to access or correct their own personal information, OIC, its commissioners and staff are not subject to the access and correction obligations under the RTI Act. This means that only OIC staff may apply to access or correct their personal information held by OIC.

6. Disclosure of personal information outside Australia

We would generally disclose personal information overseas only when necessary to address a complaint or application with our statutory functions and obligations. For instance, where a complainant or applicant is overseas.

However, when you communicate with us via a social media platform such as LinkedIn or YouTube, the social media provider and its partners may collect and hold your personal information overseas. We also use Survey Monkey to conduct voluntary surveys from time to time, which may involve the collection and disclosure of participants’ personal information overseas. Data contained within Salesforce remains within Australia.

Where we disclose personal information overseas, this will usually occur with agreement, where we are authorised or required by law, or otherwise consistently with our obligations under the IP Act.

7. Dealing with OIC anonymously or using a pseudonym

People can deal with the OIC’s Enquiries Service, report a data breach or use the enquiry forms on our website anonymously or by using a pseudonym.

Complaints about the OIC can be made anonymously or by using a pseudonym but, depending on nature of the complaint, we may not be able to action a complaint and/or provide a response without a person’s identity (e.g. where a complaint relates to a particular individual’s file).

Anonymous or pseudonymous interaction is not possible for other OIC functions, such as applying for an external review or lodging a privacy complaint. We are required to collect information such as your name, contact details and details of your matter so we can deal with you and your matter effectively and in accordance with our statutory duties.

8. Security of personal information

The OIC holds personal information securely and takes reasonable steps to protect it from misuse, interference, loss, unauthorised access, modification or disclosure. OIC complies with relevant Queensland government Information Standards and security protocols to protect personal information and ensure it can be accessed by authorised staff members only.
Where permitted by the Public Records Act 2023 (Qld), OIC will destroy or deidentify unsolicited personal information or personal information no longer required for any of its functions in accordance with our obligations under the QPPs if it is lawful and reasonable to do so.

9. Privacy complaints about OIC

If you believe that OIC has not handled your personal information in accordance with the IP Act, you can make a privacy complaint. You can only make a privacy complaint on behalf of another person if they have authorised you to do so, they are a minor/child and you are their parent or guardian, they lack capacity, and you are their guardian or have other legal authority to act for them.

To make a privacy complaint about OIC, you must send your complaint to the OIC in writing and include:

  • an address for us to respond to you (e.g. an email address).
  • details about the matter or issues you are complaining about (e.g. what did the OIC do or not do with your personal information that you believe breached the QPPs and the IP Act).

You must send your complaint to us within 12 months of becoming aware of the act or practice you think constitutes a breach by OIC of the IP Act. If you are making a privacy complaint for someone else, please include an authority from them or other evidence.

Contact address for privacy complaints:

Email:

complaints@oic.qld.gov.au

Post:

Office of the Information Commissioner
PO Box 10143 Adelaide Street
Brisbane Qld 4001

9.1 Timeframe for handling a privacy complaint

The response period for a privacy complaint is 45 business days, if OIC requests for a longer period under section 164A(2) of the IP Act, the further specified period until you refuse the request, you further escalate the complaint to the OIC, or the further specified period ends.

If you do not consider OIC’s response to be adequate or if OIC does not respond within the response period, you can escalate your complaint following this procedure. Your complaint will be managed in the same way as complaints about other agencies are managed and will be dealt with by officers who had no involvement in handling the initial complaint or the activities the subject of the initial complaint.

10. Definitions

For the purposes of this policy and related policy documents, the following definitions apply:

TermDefinition
Personal information

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

(Section 12 of the IP Act).

Sensitive information

Sensitive information for an individual, means the following:

  • information or an opinion, that is also personal information, about the individual’s:
    • racial or ethnic origin; or
    • political opinions; or
    • membership of a political association; or
    • religious beliefs or affiliations; or
    • philosophical beliefs; or
    • membership of a professional or trade association; or
    • membership of a trade union; or
    • sexual orientation or practices; or
    • criminal record;
  • health information about the individual; or
  • genetic information about the individual that is not otherwise health information; or
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
  • biometric templates.

(Schedule 5 (Dictionary) of the IP Act).

11. Related policy documents and supporting documents

LegislationInformation Privacy Act 2009 (Qld)
QPP 1