Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

What You Should Know About The Information Privacy and Other Legislation Amendment Act (IPOLA)?

Contributors

Anas Baig

Product Marketing Manager at Securiti

Asaad Ahmad Qureshy

Associate Data Privacy Analyst at Securiti

Adeel Hasan

Sr. Data Privacy Analyst at Securiti

CIPM, CIPP/Canada

Listen to the content

Most countries across the world now understand the urgency and importance of appropriate data privacy protections. As technology evolves, data grows along with it at an exponential rate. While this has allowed both businesses and governments to understand the needs, wants, and requirements of their customers and citizens, it comes with a plethora of challenges. These challenges pose an existential risk to users' personal data and can lead to dire consequences if appropriate measures are not in place.

The General Data Protection Regulation (GDPR) came into effect in 2018 and has since then served as the blueprint for jurisdictions hoping to enact similar legislation to ensure appropriate privacy protections for their citizens.

The Queensland government introduced the Information Privacy and Other Legislation Amendment Act (IPOLA), which aims to improve upon the existing regulations: the Information Privacy (IP) Act of 2009 and the Right to Information (RTI) Act of 2009.

While these regulations afforded Queensland residents adequate privacy protections, drastic amendments are necessary to reflect recent technological developments and threats to user privacy.

The Office of the Information Commissioner (OIC) Queensland has published a series of comprehensive guidelines intended to provide the necessary supplementary resources any organization may need to adhere to IPOLA’s requirements. These range from procedural requirements when handling users’ sensitive information to sharing, selling, or disclosing users’ data to third parties.

Read on to learn more.

IPOLA Guidelines

Changes In the Right to Information Act of 2009

This IPOLA guideline provides information related to several changes that will occur in the RTI Act. These changes will formally come into effect on July 1, 2025.

Access & Amendment Applications

IPOLA will consolidate all regulatory provisions related to access and amendment applications within one Act.

Any requests related to access to documents containing applicants’ personal information in possession of an agency will be made under the RTI Act.

Additionally, an approved form will no longer be necessary when making such requests, though they will continue to be available. Moreover, agencies will no longer be under any obligation to provide applicants with a schedule of the documents’ location in response to an access application.

Timeframes

IPOLA will significantly alter how timeframes are calculated under the RTI Act since the clock will no longer stop and start.

Consequently, the processing period will not be 25 business days, minus the different time periods that stop the clock since the revision period when the agency issues a Charges Estimate Notice (CEN). Instead, the initial processing period will be 25 business days, with various time periods added to make this period longer, depending on the circumstances.

This period will end when the agency arrives at a decision or the application is deemed invalid because the agency ran out of time. The period will not begin until the valid application day, which is the day the agency receives the application or a previously non-compliant application is resubmitted in an invalid form.

If the applicant initially provides only a physical postal address, even if they later add an email address, the processing period will be extended by five days.

Internal Review Timeframes

The initial time frame for internal reviews of 20 business days will no longer be valid. Instead, a new internal review processing period (IRPP) will be introduced. This IRPP will work similarly to the processing period with 20 business days unless an agency requests an extension.

Mixed Applications

In case an agency receives an access or amendment application that includes documents that are not in their possession, known as a mixed application, the agency will be able to:

  • Determine that these documents are outside the scope of this Act;
  • Continue processing and deciding on the rest of the application.

Any decision made will be reviewable.

Judicial Function Decisions

A judicial function decision is a decision where all or a part of the application is outside the scope of the Act. Such decisions are not reviewable and are only applicable to the Queensland Civil and Administrative Tribunal (QCAT).

In case an agency makes a reviewable decision as well as a judicial function decision on the same application, the applicant will only be able to request a review of the reviewable decision and make an appeal of the judicial function to the QCAT.

Disclosure Logs & Publication Schemes

Disclosure Logs

Departments and Ministers are subject to various obligations compared to agencies when it comes to disclosure logs. These obligations include a requirement to include application details, the applicant's name, and documentary requirements as part of the disclosure log as soon as practicable after the applicant has accessed it.

Furthermore, the Departments and Ministers are subject to compliance with the Ministerial guidelines on the Operation of Publication Schemes and Disclosure Logs.

Once the IPOLA reforms come into effect, the different requirements will be removed, and all agencies, departments, and ministers will be subject to the same disclosure log obligations.

Publication Schemes

The publication scheme will be altered significantly. Instead of the current categories and requirements, agency publication schemes will include:

  • The agency’s structure and how its functions affect the public;
  • How the public can engage with the agency’s functions;
  • Types of information held by the agency;
  • Types of information made publicly available by the agency and how it makes it available;
  • Procedures related to asking for information, such as a fee or charge;
  • Any additional information required by the Regulation.

Agencies will no longer be required to comply with the Ministerial Guidelines for publication schemes. OIC will provide appropriate guidance in their place.

Review Rights

The list of reviewable decisions will be moved from Schedule 5 to a new Schedule 4A of the RTI Act.

The list of reviewable decisions will now include decisions that claim to but may not cover all documents within the scope of an application. This will make the sufficiency of search a specific reviewable decision, meaning internal reviews can be made on the sufficiency of search grounds.

External Review Remittal Powers

If any additional in scope documents are identified as part of the external review of an access application, the Information Commission will have the power to consult with and then refer these documents back to the agency to make a decision.

When such documents are referred back, the application will be taken to have a new, fully compliant access application for the additional documents. The external review will continue without these documents.

Comparison Table of Access & Amendment Provisions

The guide contains a detailed table that compares the current IP Act and RTI Act’s access and amendment provisions with the IPOLA amendments. This table assists agencies in updating their systems, procedures, and templates.

Changes In the Information Privacy Act of 2009

This IPOLA guideline provides information related to several changes that will occur in the IP Act. These changes will formally come into effect on July 1, 2025.

Definitions

IPOLA will add and amend several definitions mentioned in the IP Act. These are as follows:

New Definitions
  • Affected Individual
  • Data Breach
  • Eligible Data Breach
  • Permitted General Situations
  • Permitted Health Situations
Amended Definitions
  • Personal Information

Access & Amendment Changes

Applications for Access: All applications for access to documents containing personal information held by an agency will be governed by the Right to Information Act 2009 (Qld) (RTI Act), rather than the IP Act.

Applications for Amendments: Requests to amend personal information in agency documents will also be handled under the RTI Act.

Privacy Principle Changes

The Queensland Privacy Principles (QPPs) will formally replace the Information Privacy Principles (IPPS) for non-health agencies and the National Privacy Principles (NPPs) for health agencies.

Any organization or agency subject to the IP Act will be subject to the QPPs.

Additionally, unlike IPPs, it is no longer a requirement for personal information to be recorded in documentary format for the personal information to be subject to the QPPs.

Lastly, Section 33 of the IP Act, which concerns the transfer of personal information, will now only apply to the disclosure of such information outside Australia.

Mandatory Data Breach Notification

IPOLA introduces a Mandatory Notification Data Breach (MNDB) scheme within the IP Act. While the scheme will come into effect on July 1, 2025, it will begin to apply to local government in July 1, 2026.

Per the scheme, agencies will be required to notify the OIC and all other affected individuals who have been affected by a data breach unless certain exemptions apply. The scheme also requires such agencies to take proactive measures to contain, assess, and mitigate data breaches while also developing and publishing a comprehensive data breach policy.

Lastly, the agency will be responsible for complying with the scheme even if a third party is in possession of the personal information subject to data breach.

IPOLA will provide further powers to the Information Commissioner to oversee and investigate the management and notification of all future data breaches.

Exemptions

There are several exemptions to the notification obligations for agencies. These include the following:

Exemption From Notification To Individuals

Agency Has Taken Remedial Measures

Agencies are not required to notify individuals if they take appropriate remedial actions to mitigate the breach so that the breach can no longer cause serious harm to the individual.

If the breach involved unauthorized access to or disclosure of personal information, the agency can rely on this exemption if:

  • It takes action to mitigate the harm caused by the data breach before such access or disclosure results in serious harm to the individual;
  • As a result of any action taken, the breach will no longer result in serious harm to the individual.

Similarly, if the breach involves loss of personal information, the agency can rely on this exemption if:

  • The agency takes action to mitigate the loss before there is any unauthorized access to or disclosure of personal information, and this prevents any unauthorized access to or disclosure of personal information;
  • The agency takes action to mitigate the loss after unauthorized access or disclosure but before it has seriously harmed any individual.

However, this only exempts agencies from notifying individuals; they must still notify the Information Commissioner and include all information related to mitigation measures taken.

Serious Risk of Harm to Health or Safety

Agencies are not required to notify individuals of a data breach if doing so would create a serious risk of harm to the individual’s health or safety. However, the Information Commissioner must still be notified along with a written notice of its reliance on this exemption.

When determining if this exemption applies, the agency must consider whether the harm caused by compliance would be greater than the harm posed by not complying.

Determining whether the notification would result in a serious risk of harm to an individual requires careful consideration of both the likelihood and consequences of harm. The higher the likelihood of detrimental impact, the higher the chances of there being a serious risk of harm.

A lower likelihood can also be a serious risk of harm if the potential consequences would be extremely detrimental to an individual’s health or safety. The threshold for application of the exemption would be met when an agency makes an assessment that there is a serious risk:

  • The notification will exacerbate the mental health condition of the individual;
  • Of harm to the physical safety of the agency staff member if the notification is made;
  • Of an individual disengaging from treatment for a life-threatening life condition;
  • Of at-risk individuals engaging in domestic violence in circumstances where the agency is aware of the real risk of serious physical harm.

A serious risk of harm to the health or safety of an individual other than the person to whom the information relates may also be a relevant risk to consider. These would be considered a sub-group of those affected by the breach. If this broader group can be notified without resulting in a serious risk of harm to them, the exemption will not apply to notifications to this broader group.

Systemic risks, such as harm to the individual’s confidence in a service or system, will not meet the threshold for this exemption to apply. However, the exemption may apply in limited circumstances where such loss of confidence may lead to an individual completely disengaging from medical or other essential services.

Balancing Impact

When determining whether to rely on this exemption, the agency must consider whether the harm of providing the notification outweighs the harm of not notifying. Additionally, it must determine that the potential harm from notification is real and not unlikely to result.

Hence, agencies should only rely on this exemption when it is certain that the potential harm of notification will be greater than the harm from failing to notify.

Actions to Mitigate Risk

When determining whether to rely on this exemption, agencies may also consider if there are any additional steps it may take to lessen or manage the anticipated harms. Hence, if there is a practical way to deliver the notification without posing a risk to the individual, this exemption may not be applicable.

These actions may include:

  • In-person notification or provision of support;
  • Redaction of some information;
  • Notifications to an authorized representative;
  • Notifications sent in a manner that would not require the identification of the individual officer in cases involving organized crime.

Currency of Information

Agencies must also consider the currency of information they rely on to assess whether a notification would result in a serious risk of harm. If agency records indicate a situational factor or particular characteristic of an individual that would give rise to a risk of harm, consideration must be given to the age of those records and to what extent the individual’s circumstances may have changed.

Duration of Exemption

Agencies can rely on this exemption permanently or temporarily. In any case, the exemption should be applied for the minimum period required to avoid or mitigate the anticipated harm. In cases where the serious risk of harm cannot be mitigated, it may be appropriate to apply the exemption permanently.

However, this permanent exemption will only be granted in exceptional circumstances where the agency is highly confident in the likelihood of notification causing harm to the individual. If the risk of harm is due to a particular factual scenario or temporary vulnerability, agencies must consider relying on this exemption only until a notification can safely be made.

Notifying the Information Commissioner

When relying on this exemption, the agency must provide written notice to the Information Commissioner setting out:

  • That the agency is relying on this exemption and to what extent;
  • If the exemption is permanent or temporary;
  • The expected duration of the exemption, if temporary.

Furthermore, the notification itself should include the following information when practical to do so:

  • Number of people to whom the exemption is applied;
  • Total number of individuals affected by the breach;
  • Nature of the serious risk of harm to health and safety arising from the notification;
  • Explanation of why the risk arising from the notification is greater than the risk from not notifying;
  • Nature and age of information the agency relied on to make this assessment;
  • Whether agency records were consulted to make this assessment and the grounds on which the search was authorized.

This can be a high-level summary and does not need to include any personal information. However, the Information Commissioner may seek further information from the agency regarding a specific data breach.

Compromise to Cybersecurity

Agencies are also exempt from notifying individuals if complying with the notification obligation will result in:

  • Compromising or worsening the agency’s cybersecurity;
  • Further data breaches.

However, such an exemption will be temporary and only applicable for the period where the notification is likely to result in either of the aforementioned outcomes.

The cybersecurity exemption requires the notification to likely have a detrimental impact on the agency’s cybersecurity measures. The exact threshold or degree to which they must be negatively affected is not specified, although it should be non-trivial.

Owing to such a non-specific threshold, agencies must be satisfied that such a notification would compromise the cybersecurity measures or lead to further data breaches. A mere possibility may not be enough.

For that reason, the Information Commissioner recommends agencies contact and seek advice from the Queensland Government Cybersecurity Unit when determining whether to use this exemption. They may also consult their internal and external cybersecurity experts.

Circumstances where a notification would lead to an agency’s cybersecurity measures being weakened or higher chances of future data breaches include the following:

  • The notification may lead to further unauthorized access to or disclosure of information;
  • The notification could allow the breach or a similar breach to be replicated.

When Agencies May Choose Not to Rely on This Exemption

Agencies must consider whether there are any options to notify the affected individuals without increasing the overall risk to the agency. Hence, there may be ways to comply with the notification obligations without revealing specific details of how the breach occurred or the actions the agency is taking to mitigate the impact of the breach.

Whatever approach the agency takes, it is appropriate to inform the individual that, once its investigation is concluded, further information about the breach and remedial measures will be provided.

Resolving Cybersecurity Flaws or Weaknesses Giving Rise To The Exemption

As explained earlier, this exemption is strictly temporary. Any identified weaknesses or security flaws need to be mitigated as soon as possible to allow for a notification to be sent out as soon as possible.

Notifying the Information Commissioner

An agency that relies on the cybersecurity exemption must, in addition to its other notification obligations, also provide written notice to the Information Commissioner stating:

  • The Agency’s exemption from compliance with the notification obligation;
  • When it expects the exemption to cease to apply;
  • How the application of the exemption will be reviewed.

The application for the exemption must be reviewed each month as long as the agency relies on this exemption and provides the Information Commission with a summary of the monthly review as soon as possible. This monthly review may include considerations of whether:

  • The risks identified during the initial assessment continue to apply;
  • Mitigation measures reduced or eliminated the risk to cybersecurity;
  • Notifications to affected individuals are still likely to compromise cybersecurity or lead to further breaches;
  • Mitigation activities can be completed within the estimated timeframe;
  • The timeframe of the exemption should be amended.

To properly assist the Information Commissioner in its assessment of the notification, the OIC recommends including the following information in the notification:

  • Number of individuals to whom the notification has been applied;
  • Explanation of why notification is likely to compromise or worsen the agency’s cybersecurity or lead to further breaches;
  • Confirm whether the agency has consulted with the Queensland Government Cybersecurity Unit or with its cybersecurity adviser;
  • An explanation of the timelines and work planned for remedial measures.

If required, the Information Commissioner may seek further information from an agency related to a suspected data breach.

Exemptions From Notifications To Both The Information Commissioner & Individuals

Investigations & Proceedings

An agency is exempt from notifying both the Information Commissioner and individuals if such notifications would likely prejudice:

  • An investigation that could lead to the prosecution of an offense;
  • Proceedings before a court or tribunal.

The agency that has been the subject of the data breach does not need to investigate to rely on this exemption, as the notification is sufficient for it to be likely to prejudice an investigation by another agency or entity. This exemption is not restricted to criminal investigations by law enforcement agencies and can be applied to any investigation that may result in a prosecution.

Furthermore, this exemption can apply to any proceedings before any court or tribunal, regardless of jurisdiction. The investigation can be at any stage of the process. However, a finalized investigation or proceedings would not enliven this exemption.

However, before relying on this exemption, agencies must carefully consider whether it is possible to undertake notification obligations in a manner that would avoid the likely prejudice to the relevant investigation or proceedings.

Multiple Agency Breach

An agency may also be exempt from notifying individuals and the Commissioner if a data breach involves multiple breaches. This exemption will apply where:

  • All of the personal information of the subject of the breach is also the subject of a data breach under investigation by one or more other agencies;
  • At least one of the other agencies is currently undertaking its own assessment and is required to notify individuals and the Commissioner about the breach.

However, this exemption does not apply if the other entity involved in the data breach is not an agency as defined in the IP Act.

In breaches involving multiple agencies, they may consult each other to determine which agency will be responsible for assessing and notifying the breach. All relevant agencies involved in the breach must be identified, and a central contact must be established for further inquiries.

Agencies relying on this exemption should also ensure they assess the data breach to mitigate current and future risks, prevent future data breaches, and identify breaches that are also in breach of another law. However, this would not remove the agency’s obligation to update its data breach register with details of the breach.

Inconsistency with Confidentiality & Secrecy Provisions

Agencies subject to confidentiality and secrecy provisions may find issuing notifications to individuals and the Commissioner inconsistent with the provisions of a Commonwealth or State Act that prohibits or regulates the use or disclosure of information.

Hence, careful consideration must be given to studying the application of relevant provisions and their specifics to determine if and how much of the information would breach these provisions if provided to individuals or the Commissioner.

Privacy Complaints

IPOLA introduces a 45-day response period for agencies to respond to users' privacy complaints. This period can be extended upon the agency's request to the complainant.

Furthermore, IPOLA also introduces requirements for complainants to meet before they can make a privacy complaint to the agency.

QPP Codes & Guidelines

The Minister will have the power to enforce QPP codes and guidelines subject to approval by Regulation.

These QPP codes will contain information on how the QPPs are to be applied and other additional requirements. However, they will not replace the Commissioner’s ability to waive or modify the application of the privacy principles.

The Commissioner will also be tasked with creating a guideline for the collection, use, and disclosure of personal information by law enforcement agencies to help them locate a reported missing person.

QPP Comparison Tables

The guideline contains a detailed comparison chart that sets out the QPPs, their equivalents in the IPPs and NPPs, as well as the requirements of each QPP.

Queensland Privacy Principles

QPP1 - Open & Transparent Management of Personal Information

The purpose of QPP 1 is to ensure that agencies manage personal information openly and transparently. To that end, the agencies must:

  • Take appropriate steps to implement practices, procedures, and systems that comply with the QPP and can adequately deal with related inquiries and complaints;
  • Have an updated QPP privacy policy;
  • Ensure this privacy policy is available for free in a readily available form.

Appropriate Steps to Implement Practices, Procedures, and Systems

Per QPP1, agencies are required to implement practices, procedures, and systems that will:

  • Ensure the agency’s compliance with the QPPs;
  • Enable the agency to deal with inquiries or any complaints from individuals related to QPP compliance.

Additionally, agencies are required to take proactive measures to establish and maintain internal practices, procedures, and systems that will enable compliance with the QPPs. Agencies may also consider thoroughly documenting and publishing all such steps taken to demonstrate their steps towards managing personal information responsibly.

Reasonable Steps

The agency’s success in implementing appropriate practices, procedures, and systems will be determined via a “reasonable steps” test. What qualifies as reasonable steps will depend on circumstances, including:

  • The nature of the personal information. More steps may be required as the amount and sensitivity of the personal information increases;
  • Possible adverse consequences for an individual if their personal information is not handled per QPP requirements. More steps may be required as the potential impact increases;
  • The practicability of implementing such steps, including the time and cost involved.

Types of Practices, Procedures, and Systems

The exact practices, procedures, and systems to implement will differ from agency to agency. However, at a minimum, the agency must implement:

  • Procedures to identify and manage privacy risk at every stage of the information lifecycle;
  • Security systems to protect personal information and prevent its misuse, interference, and loss and from unauthorized access, modification, or disclosure;
  • Regular privacy impact assessments (PIA) for every new project where personal information will be handled;
  • Procedures for identifying and responding to privacy breaches;
  • Procedures to allow users to make privacy complaints along with an explanation of how these complaints will be handled;
  • Procedures to allow complainants to remain anonymous;
  • Governance mechanisms in compliance with the QPPs, such as designated privacy officers;
  • Regular staff training and information bulletins;
  • Appropriate supervision of staff that regularly handles users’ personal information;
  • Mechanisms to ensure all vendors or third parties acting on their behalf comply with the QPPs;
  • A program of proactive review and audit of the adequacy and relevancy of the QPP privacy policy and practices per QPP requirements.

QPP Privacy Policy

All agencies must have a clearly expressed and updated privacy policy that explains how users’ data is managed along with the data protection practices of the agency. At a minimum, this privacy policy document should include:

  • Be accessible;
  • Be easy to understand;
  • Be easy to find, use, and navigate;
  • Only include relevant information.

While there are no format-related requirements, the document should be written in a manner suitable for web publication.

Some of the specific information to include in the privacy policy document includes:

  • All the categories of personal information the agency collects holds, and stores, including any sensitive information;
  • How it collects and stores personal information, especially sensitive information;
  • The purposes behind the collection of personal information;
  • How individuals can access their personal information or seek changes to it;
  • How individuals can complain in case of an agency violating its requirements under the QPP;
  • How such complaints will be handled;
  • Whether users’ personal information will be disclosed to overseas recipients;
  • A dedicated section on the agency’s data breach policy must also be developed and published, either as part of the privacy policy or as a separate document.

QPP2 - Dealing Anonymously & Pseudonymously With An Agency

Under QPP2, individuals have the option to deal with an agency completely anonymously or by pseudonym. However, an agency is not required to provide this option:

  • If the agency is required/authorized under Australian law to deal with identified individuals who have identified themselves;
  • In case it is impracticable to deal with individuals who have not identified themselves or use a pseudonym.

Providing Anonymous & Pseudonymous Options

Agencies must ensure that anonymous and pseudonymous options are always available to individuals. However, this does not apply if:

  • Anonymity or pseudonymity is the default option;
  • Agencies are legally required to deal with identified individuals;
  • There is no practicable way for the individual to deal anonymously or pseudonymously with the agency.

The steps an agency must take to ensure both options are available to the individuals will depend on the nature of the dealing between the agency and an individual. One way to do so is via the privacy policy, which could state:

  • The circumstances in which an individual may deal anonymously or by pseudonym with the agency;
  • How the individual can deal anonymously or pseudonymously with the agency;
  • Any potential negative consequences of dealing anonymously or pseudonymously with the agency;
  • The circumstances in which an individual cannot deal anonymously or pseudonymously with an agency, along with the appropriate reasons for why not.

Other measures to facilitate anonymous and pseudonymous options include:

  • If a mechanism for online communication is available on the agency website, it should state that individuals do not need to identify themselves when using it. This can be done by ensuring no personal information fields in online forms are mandatory;
  • In the case of telephone calls, appropriately informing individuals that they do not need to provide personal information;
  • If the agency is seeking public comment, it should allow users to use pseudonyms;
  • Inform individuals that communication can be done anonymously or pseudonymously when dealing with them directly.

Where Identification Is Required

An agency is not required to offer anonymous or pseudonymous options in cases where it is required to deal with identified individuals. Such situations include the following:

  • Processing of an individual’s application for an identity document, license, or approval;
  • Processing a claim for or paying a benefit to an individual;
  • Providing assistance to an individual diagnosed with a disease that must be recorded per public health law;
  • Providing assistance to suspected victims of child abuse;
  • Processing access or amendment applications which include the individual’s personal information per RTI;
  • Giving individuals access to their personal information.

Requiring Identification When Impracticable Not To

Agencies are not required to allow anonymous or pseudonymous communications with individuals when it is impracticable to deal with individuals who have not identified themselves. These circumstances can include:

  • An individual complaining about how the agency dealt with their case;
  • An individual who wants more information or wants products to be posted or delivered;
  • An individual seeking healthcare or health service from the public health system.

QPP3 - Collection of Solicited Personal Information

Per QPP3, an agency must not collect personal information unless such information is reasonably necessary for its functions or activities. Such information must always be collected via fair and lawful means and should always be collected from the individual themselves unless:

  • The individual consents to the information being collected from someone else;
  • The collection is necessary per a court or tribunal order;
  • It is unreasonable or impracticable to collect it directly from the individual.

Solicited Information

The QPP3 obligations are only applicable to solicited personal information. An agency is considered to have solicited personal information if it asks an individual to provide information of a kind where personal information is included.

Reasonably Necessary For Functions

An agency must only collect personal information as well as sensitive information they need for a specific purpose or function. This personal information must be:

  • Reasonably necessary for the performance of one or more of their functions;
  • Directly related to one or more of their functions or activities.

Collection By Lawful & Fair Means

Agencies must collect all personal information, including sensitive information, via lawful and fair means. For any collection to be lawful, it must be within the confines of the law and not breach any regulatory provisions. Unlawful collection may refer to:

  • Any collection of personal information directly or indirectly prohibited by another law;
  • Where an agency has the power to collect the information, but it exceeds that power in its exercise;
  • Collecting information for an unlawful purpose.
Collection By Fair Means

The collected information is deemed fairly collected if it does not involve intimidation or deception. When collecting personal information, the agency must not:

  • Mislead people about the confidentiality of information;
  • Misrepresent what it intends to do with the information;
  • Mislead individuals about who is collecting the information;
  • Make false or misleading claims about the consequences of not giving information;
  • Collect voluntary information as it was compulsory;
  • Obtain information by trickery, misrepresentation, deception, or under duress.

Collection of Sensitive Information

Agencies can only collect sensitive information where the collection is reasonably necessary for the functions or activities of the agency and individual consents, or one of the following criteria applies:

  • The collection is required or authorized by law or court order;
  • The agency is a law enforcement agency;
  • The agency is a health agency, and permitted health situation exists in relation to the collection of the information;
  • A permitted general situation exists in relation to the collection of the information by the agency.

QPP4 - Dealing With Unsolicited Personal Information

QPP4 deals with the collection of unsolicited personal information. Unsolicited personal information refers to personal information received by an agency that the agency did not take active steps to collect. It is the information an individual provides to the agency on their own.

Once an agency receives unsolicited information, it must determine whether the agency did solicit it, then it will be subject to QPP3. If not, and the agency is not a part of the public record, then the agency must either destroy or de-identify the information as soon as practicable and reasonable to do so.

Destruction or Deidentification of Unsolicited Personal Information

Once an agency determines that the unsolicited personal information was not collected under QPP3 and is not part of the public record, then it must determine whether it is lawful and reasonable to destroy or de-identify the personal information.

Lawful Destruction or Deidentification

An agency can legally destroy or deidentify unsolicited personal information if doing so is not criminal, illegal, prohibited, or proscribed by regulatory provisions.

However, it will not be lawful if:

  • A court, tribunal, or body with legal power has issued binding orders requiring the personal information to be retained for a period or specific purpose.

Reasonable to Destroy or Deidentify

Whether the destruction or deidentification of such information will be reasonable depends on each individual situation. Relevant considerations include:

  • The amount and sensitivity of the personal information;
  • Whether the unsolicited information was entwined with the solicited personal information in a manner where it is difficult to separate the two;
  • Whether law enforcement agencies have made requests to retain the unsolicited information;
  • Requests from the individual to retain or return the personal information;
  • The practicability of destroying or deidentifying the information.

QPP5 - Informing People When Collecting Personal Information

QPP5 deals with how agencies collecting personal information must take reasonable steps to inform the individual of such collection. This obligation applies whether the agency collects the personal information directly from the individual or from a third party. Furthermore, this obligation applies to both solicited and unsolicited personal information collected.

Necessary Steps

The agencies that collect personal information must take reasonable measures to inform the individual of the following:

  • Identity and contact details of the agency;
  • If the personal information was collected from someone other than the individual, as well as the circumstances of the collection;
  • Whether the collection is authorized by law;
  • Purpose of the collection;
  • The main consequences if personal information is not collected;
  • Information about the agency’s QPP privacy policy;
  • Whether the agency is likely to disclose collected personal information with overseas recipients.

QPP6 - Use or Disclosure For Natural Justice

QPP6 deals with how agencies must use or disclose personal information. It allows for personal information to be used or disclosed in a number of situations, including where their use or disclosure is required per Australian law.

The duty to ensure persons receive natural justice is part of Australian law. Hence, the obligation to accord natural justice is a requirement of the government's decision-making process.

Agencies that fail to comply with the requirements of natural justice risk having their decisions declared invalid in a court of tribunal. However, agencies are not obligated to use or disclose all relevant materials. They are only required to use or disclose enough information to allow the recipient to respond effectively.

Regardless of complexity and circumstances, all complaint processes will involve natural justice obligations, such as the following:

  • A complainant who may need to be given natural justice;
  • Where the agency proposed to decline to accept a complaint;
  • Telling the individual the details related to the complaint against them and the evidence the agency relies on to make a decision.

The outcome of the investigation, the investigator's findings, and any actions taken against the individual the complaint was made against are considered the person’s personal information. Per natural justice, such information cannot be given to a third party, such as the complainant or witnesses.

Agencies that wish to communicate the personal information of the subject of the complaint to other entities or parties must ensure they do not breach privacy principles when doing so

QPP10 - Quality & Accuracy of Personal Information

QPP10 deals with how government agencies in Queensland must take reasonable measures to ensure the quality of the personal information they collect. Specifically, they must ensure:

  • The personal information collected is accurate, up-to-date, and complete;
  • With regards to the reason for use or disclosure, the personal information they use or disclose is accurate, up-to-date, complete, and relevant.

Agencies are required to take reasonable steps at two distinct times: when they collect the information and when they use or disclose it. Agencies are under no obligation to review personal information outside their specific obligations under QPP10 but can choose to do so on their own to ensure the quality of the personal information they hold.

To that end, the reasonable steps an agency can take include the following:

Reasonable Steps

  • Implement internal practices, procedures, and systems to audit, monitor, identify, and correct poor-quality personal information;
  • Implement strict protocols in place to ensure personal information is collected and recorded in a consistent manner;
  • Ensure updated and new personal information is promptly added to existing information records;
  • Provide individuals a simple means to review and update their original personal information in an ongoing manner, ideally via an online portal;
  • Remind individuals to update their personal information every time they engage with the agency;
  • Contact the individual to verify the quality of their personal information when it is used or disclosed, specifically after a lengthy period has passed since the information’s collection;
  • If personal information is to be used or disclosed for a secondary purpose, assess the quality of the personal information with regard to its secondary purpose before using or disclosing it.

The best way to ensure the quality of information is to verify it against the original source. However, that may be unreasonable. These instances include the following:

  • The original source may not be available;
  • Checking against the original source may be unreasonably expensive;
  • The consequences of personal information being incorrect are likely to have nominal or minimal impact;
  • Agencies have a reason to believe that the source information is inaccurate or may have become inaccurate over time.

As far as what constitutes reasonable steps, taking the following factors into account may help in making that determination:

  • The likelihood that the information in question is accurate, complete, and up to date;
  • Whether the information has changed over time;
  • How recently was the information collected;
  • How reliable the information is likely to be;
  • Who provided the information;
  • How the information is likely to be used or disclosed;
  • The likely consequences if the information being used or disclosed is inaccurate, incomplete, or out of date;
  • How sensitive is the personal information;
  • The nature of the agency, such as its size, resources, and responsibilities;
  • The practicality of the steps, including time and resources, would be required.

Similarly, if an agency has collected information from a third party, it should have appropriate procedures and systems to ensure the quality of personal information. Depending on the circumstances and the nature of the third party, this can include:

  • Enforceable contractual agreements that require third parties to implement appropriate measures to ensure the quality of personal information the entity collects from third parties;
  • Due diligence measures related to the third party’s quality practices prior to collection.

QPP11 - Security, Deidentification, and Destruction of Personal Information

QPP11 deals with the reasonable steps government agencies must take to protect the personal information they hold from any potential misuse, interference, and loss from unauthorized access, modification, and disclosure.

Agencies must destroy and deidentify all personal information once it is no longer needed for any purpose for which it was to be used or disclosed under QPPs.

As part of their obligation to protect personal information, the agencies must consider appropriate measures to ensure its protection at all stages of the information lifecycle.

Reasonable Steps

The reasonable steps necessary to ensure the security of the personal information will depend on the following:

  • The amount and sensitivity of the personal information held;
  • Possible adverse consequences for individuals in the event of a breach;
  • The practical implications of implementing the security measure, including the time and cost involved;
  • Whether a particular security measure is privacy-invasive.

Additionally, agencies must also destroy or deidentify personal information no longer needed for any purpose. However, some documents may only be destroyed or altered if allowed per the Public Records Act of 2003 and any Retention and Disposal Schedule issued under that Act.

Any other applicable Australian laws, court, or tribunal orders must also be respected. Hence, the requirements to take reasonable measures to destroy or de-identify personal information will apply to personal information that:

  • Must be retained unaltered as a public record;
  • Must be retained unaltered by any Australian law;
  • A court or tribunal has ordered its retention.

If a document does not fall under any of the aforementioned categories, agencies must take reasonable measures to de-identify or destroy it. What constitutes “reasonable steps” will depend on the following:

  • The amount and sensitivity of the personal information;
  • The nature of the agency, including the size, resources, and information storage methods of the agency;
  • The possible adverse consequences for an individual if their personal information is not destroyed or de-identified;
  • The agency’s information handling practices and whether such information handling practices are outsourced to third parties;
  • The practicability of destroying or deidentifying personal information.

QPP12, QPP13 - Access to/Correction of Personal Information

QPP12 deals with how agencies are supposed to provide individuals with the right to access their personal information, while QPP13 creates the right of individuals to correct personal information that has become incorrect since its creation.

Per QPP12, an agency must provide individuals with access to their personal information when they request it. This provision operates alongside the provisions of the RTI Act and other laws that obligate agencies to provide individuals with the right to access their personal information.

It does not prescribe any particular access mechanism and leaves it up to the agencies to determine the best way.

Per QPP13, an agency must take reasonable steps to correct the personal information they have collected in context to the purpose of its collection. It must take these steps if:

  • It is satisfied on its own determination that the personal information is inaccurate, out of date, incomplete, irrelevant, or misleading;
  • An individual asks for the information to be corrected.

The QPP13 does not require agencies to check the personal information they hold. However, it may become aware of the information being incorrect in the following ways:

  • Information provided to the agency by an individual or third is inconsistent with the other information held by the agency;
  • A court or tribunal may make a finding that highlights the inconsistency in the information held by the agency;
  • The agency may be notified by another agency or individual about the personal information being incorrect or that similar information by another agency has been corrected;
  • An auditing or monitoring program reveals that the information held by the agency requires correction.

Similarly, if an individual makes a correction request, the agency must take reasonable steps to ensure such correction. As QPP13 does not provide a specific mechanism for correction requests, the agencies can comply with the QPP13 requirements by complying with the RTI Act and its relevant administrative mechanisms for correction.

In case the agency cannot take any reasonable steps to correct the personal information, it may decline to honor such requests. Reasonable steps refer to making appropriate additions, deletions, or alterations to their records. Furthermore, the reasonable steps an agency can take depends on the following:

  • The sensitivity of the personal information;
  • Possible adverse consequences for individuals if a correction is not made;
  • The practicability of the steps, including the time and cost involved;
  • The likelihood of the agency using or disclosing the personal information;
  • The purpose for which the personal information is held;
  • The record-keeping requirements that apply to the personal information;
  • Whether the personal information is in the physical possession of the agency or a third party.

Agencies regularly collaborate with bound contracted service providers. These providers are not subject to the RTI Act but are subject to the QPPs. Hence, agencies must have processes for individuals to access and correct the personal information such providers hold. This can be done by:

  • Ensuring contracted service providers understand their correction and access obligations and providing them guidance on the subject;
  • Establishing in the contract that the agency retains control of relevant documents meaning individuals can request access to or correction of such documents.

How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

With the Data Command Center, you’ll gain access to several modules and solutions designed to ensure compliance with various data privacy and protection-related obligations. These modules range from consent management and data mapping to vendor management and breach management, among others.

Request a demo today and learn how Securiti can help you comply with IPOLA and all other major data protection regulations in effect in Australia and globally.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

What's
New