Regulatory policy

1. Our role

The Information Commissioner is the independent regulator of information access and information privacy rights in Queensland. The Information Commissioner regulates agencies’ compliance with their obligations under the Right to Information Act 2009 (RTI Act) and the Information Privacy Act 2009 (IP Act) (together, the Acts).

The Information Commissioner is an Officer of Parliament and is not subject to direction by any person¹ in performing their statutory functions.

The Information Commissioner is supported by the Right to Information Commissioner and the Privacy Commissioner, who are statutory officers appointed by the Governor in Council and who are subject to the direction of the Information Commissioner.

The Office of the Information Commissioner employs staff under the Public Sector Act 2022 who are delegated to carry out functions and exercise powers on behalf of the Information Commissioner.

The Information Commissioner’s key regulatory functions are:

Support — giving information, assistance and guidance to members of the public and Queensland public sector agencies about the Acts.
Decision making — making decisions to accept an external review application or privacy complaint and undertaking an independent review of a decision made by a Queensland public sector agency that documents cannot be located or do not exist, refusing access to information or to amend a document under the Acts.
Mediation — mediating accepted privacy complaints made by members of the public against Queensland public sector agencies. Where a complaint cannot be mediated, it may be referred to the Queensland Civil and Administrative Tribunal (QCAT).
Monitoring — monitoring, auditing, reviewing and reporting to Parliament on agency practices and compliance with the Acts.
Investigation and enforcement — own motion investigations of an agency’s act or practice that may contravene the privacy principles or data breach obligations. Where circumstances require, the Commissioner may issue a compliance notice and/or a report to Parliament on their findings.

2. Purpose

This policy describes how the Information Commissioner exercises their regulatory functions and powers and decides to take regulatory action.

In this policy, ‘regulatory functions’ means any or all the Information Commissioner’s functions and powers that promote agencies’ compliance with the Acts, including:

assisting compliance and continuous improvement through guidance, information, support and education
making decisions about the way agencies provide access to information or protect personal information
oversighting agency compliance with the Acts through monitoring, auditing, investigating and reporting to Parliament.

‘Regulatory action’ includes:

issuing a notice for a person or agency to produce documents or attend before the Information Commissioner to answer questions
issuing a compliance notice under the IP Act requiring an agency to take stated action within a stated period for the purpose of ensuring compliance with an obligation under that Act.

The Acts define an ‘agency’ as a department, local government, public authority, government owned corporation or a subsidiary.

A ‘public authority’ is an entity established for a public purpose by legislation, for example, a university, hospital and health service, or other statutory authority.

The Acts generally include Ministers either as agencies or with agencies when describing an obligation under the Acts.

3 Our regulatory approach

The following principles guide the way in which the Information Commissioner carries out their regulatory functions and exercises powers or decides to take regulatory action:

Independent — our regulatory approach is independent, objective and impartial.
Transparent — we are open about how we carry out our regulatory functions and use our powers; we publish the outcomes of our regulatory interventions as required and permitted by law.
Proportionate — we take regulatory action proportionate to the risk or seriousness of the issue.
Responsive — we take regulatory action in a timely manner commensurate with the risk or seriousness of the issue, and risk of harm to the public.
Fair — we exercise our regulatory functions and powers in a manner which is fair and affords natural justice.
Consistent — we exercise our regulatory functions and powers consistently and
predictably in similar circumstances.

4. Factors we consider

When deciding to take regulatory action, the Information Commissioner considers:

The seriousness of the matter, incident or conduct, informed by the level of risk, including:

the number of affected individuals (eg the number of individuals potentially affected)
whether the matter relates to information of a sensitive nature, or information that could be considered more likely to contribute to an individual experiencing serious harm
whether the matter could adversely affect a disadvantaged or vulnerable individual or group, or leave them open to being adversely targeted, or
the awareness and experience level of persons responsible for, or involved in the matter, incident or conduct.

The effect of the matter on the public interest or trust in government, including:

achieving the objects of the Acts
maintaining public confidence in the Acts
any deterrent effect which may be caused by the regulatory action for either an agency or within the public sector
any educational or precedential effect that may result from the regulatory action, or
whether the matter is an isolated incident or may indicate a systemic problem in an agency or within the public sector that should be addressed.

The agency’s engagement with OIC, along with any actions and decisions taken in responding to the matter, including:

the evidence available to substantiate any complaint or allegation
the agency’s compliance history, including previous decisions or behaviour of a similar nature, other complaints, reviews or breaches
the agency’s response to any previous OIC action, including its level of cooperation or willingness to undertake timely and effective remedial action
the agency’s attitude to compliance more broadly, and its general adoption of a positive culture of right to information and information privacy
whether the agency’s conduct was intentional or reckless, or
the likely efficacy of a specific regulatory action on a particular agency or for the public sector more broadly.

The impact of the matter on OIC and its relationship with our regulatory priorities, including:

if the agency has been or is the subject of other OIC oversight (eg the outcome of prior regulatory action)
the availability and impact of taking regulatory action on OIC’s resources and operations, or
the relevance of taking regulatory action to OIC’s strategic objectives and priorities.

Other considerations in our decision making may include (but are not limited to):

whether the agency has engaged cooperatively with OIC will be taken into account in deciding whether to take regulatory action and what regulatory action to take
regulatory action by another integrity or oversight agency, or referral to another agency which is more appropriate to deal with the matter, incident or conduct
human rights implications that support a referral of the matter or impact the significance or seriousness of the matter, incident or conduct, or
other legislative obligations.

5. Regulatory approach categories

We strive to assist agencies to succeed in respect of meeting their obligations under the Acts in the first instance. Our regulatory focus is on prioritising the provision of practical and accessible information and education to agencies. We also regularly engage with agencies to promote a positive culture of respect for information access and privacy rights by agencies and their adoption of best practice.

We adopt a stronger regulatory stance, such as through a review or investigation of a matter, or the taking regulatory action, when there is a higher risk of harm, and/or the matter or conduct is serious or systemic.

Pyramid showing the regulatory approach categories

6. Our regulatory activities and actions

Our regulatory activities and actions include (but are not limited to):

6.1 Building knowledge and awareness

Promote best practice and compliance in the Queensland public sector through proactive stakeholder engagement.
Develop guidelines and other information resources for agencies to assist them in applying and interpreting the Acts.
Promote agency and community awareness of the Acts though the provision of practical and accessible information and education.

6.2 Support

Identify, comment and make submissions on new proposed legislation or amendments to legislation, and parliamentary inquiries relating to information access, privacy rights and related matters.
Provide general and targeted training to address specific agency practices on information access and privacy issues.
Provide guidance and information to the community and agencies about specific matters.

6.3 Decision making

Require an agency to provide an additional statement of reasons or conduct further document searches.
Issue directions to an agency as to the procedure on an external review application.
Refer additional documents located by an agency the subject of an external review application back to the agency (or Minister) to determine if they should be released.
Conduct an independent review of an agency’s decision to refuse access to a document or information, or to amend personal information in a document, including seeking to informally resolve an external review application or make a formal external review decision.
Waive or modify an agency’s obligation to comply with the Mandatory Notification of Data Breach scheme or Queensland Privacy Principles.

6.4 Monitoring

Advise Parliament and provide analysis of statistical information agencies provide on their administration of the Acts.
Publish performance standards and measures for use in audit and review reports.
Investigate agency conduct and practices that may require the issuing of a compliance notice to an agency under the IP Act and/or a report to Parliament.
Review how agencies comply with the Mandatory Notification of Data Breach scheme.
Review how an agency handles personal information to identify privacy related issues of a systemic nature.
Follow up and report to Parliament on an agency’s implementation of report recommendations.
Monitor, audit, investigate and report to Parliament on an agency’s practices and compliance with the Acts.

6.5 Enforcement

Issue compliance notices under the IP Act.
Issue notices to produce documents or attend before the Information Commissioner.
Enter an agency’s premises and require reasonable help from the agency about complying with the Mandatory Notification of Data Breach scheme.
Direct an agency to give a statement about a suspected eligible data breach under the Mandatory Notification of Data Breach scheme.
Refer disciplinary matters to the relevant agency’s principal officer or Minister.
Declare an information access applicant vexatious and limit their right to make access applications or external review applications under the RTI Act.
Refer suspected offences under the Acts to the appropriate authority for possible prosecution.

7. Definition/glossary of terms

For the purposes of this policy and related policy documents, the following definitions apply:

Term	Definition
Compliance notice	The Information Commissioner has the power to issue a compliance notice to an agency where there has been a serious, flagrant or repeated contravention of a relevant obligation under the IP Act.
External review application	A person affected by a reviewable decision may apply to have the decision externally reviewed by the Information Commissioner under the RTI Act.
Mandatory Notification of Data Breach scheme	The Mandatory Notification of Data Breach scheme imposes obligations on all agencies in relation to data breaches. This includes: containing data breaches and mitigating harm; notifying the Information Commissioner and particular individuals of eligible data breaches; publishing data breach policies; and maintaining an internal register of eligible data breaches.
Natural justice	Natural justice is the right to be made aware of, and respond to, information which will be used in the course of a decision that will negatively affect the person.
Privacy complaint	An individual can make a privacy complaint if they believe an agency has dealt with their personal information in a way that is inconsistent with the Queensland Privacy Principles.
Queensland Civil and Administrative Tribunal	The Queensland Civil and Administrative Tribunal is an independent tribunal with a wide-ranging jurisdiction. It’s decisions and agreements are legally binding and enforceable.
Queensland Privacy Principles	All agencies must manage personal information in accordance with the Queensland Privacy Principles set out in Schedule 3 of the IP Act.

8. Related policy documents and supporting documents

Legislation	Right to Information Act 2009 (Qld) Information Privacy Act 2009 (Qld) Public Sector Act 2022 (Qld) Human Rights Act 2019 (Qld)
Policy	OIC Strategic Plan 2024-2028 OIC Client Service Charter OIC Assurance Engagements Methodology: Policy and guidance

¹ See ss126 and 134 of the RTI and IP Acts respectively.