{"id":"qld:act-2009-014","name":"Information Privacy Act 2009","slug":"information-privacy-act-2009","collection":"act","jurisdiction":"qld","status":"in_force","isInForce":true,"actNumber":"14 of 2009","makingDate":null,"administeringDepartment":null,"currentVersion":{"id":29914,"registerId":"qld-act-2009-014-current","compilationNumber":null,"startDate":"2026-04-01","status":"InForce","reasons":null,"registeredAt":null},"sections":[{"sectionNumber":"ch.1-pt.1","sectionType":"part","heading":"Introductory","content":"# Introductory","sortOrder":0},{"sectionNumber":"sec.1","sectionType":"section","heading":"Short title","content":"### sec.1 Short title\n\nThis Act may be cited as the Information Privacy Act 2009 .","sortOrder":1},{"sectionNumber":"sec.2","sectionType":"section","heading":"Commencement","content":"### sec.2 Commencement\n\nThis Act commences on a day to be fixed by proclamation.","sortOrder":2},{"sectionNumber":"sec.3","sectionType":"section","heading":"Object of Act","content":"### sec.3 Object of Act\n\nThe primary object of this Act is to provide for the fair collection and handling in the public sector environment of personal information.\nThe Act must be applied and interpreted to further the primary object.\ns 3 amd 2023 No. 32 s 8\n(sec.3-ssec.1) The primary object of this Act is to provide for the fair collection and handling in the public sector environment of personal information.\n(sec.3-ssec.2) The Act must be applied and interpreted to further the primary object.","sortOrder":3},{"sectionNumber":"sec.4","sectionType":"section","heading":null,"content":"### Section sec.4\n\ns 4 om 2023 No. 32 s 9","sortOrder":4},{"sectionNumber":"sec.5","sectionType":"section","heading":null,"content":"### Section sec.5\n\ns 5 om 2023 No. 32 s 9","sortOrder":5},{"sectionNumber":"sec.6","sectionType":"section","heading":"Scope of personal information under this Act","content":"### sec.6 Scope of personal information under this Act\n\nThis Act applies to the collection of personal information, regardless of when it came into existence, and to the storage, handling, accessing, amendment, management, transfer, use and disclosure of personal information regardless of when it was collected.","sortOrder":6},{"sectionNumber":"sec.7","sectionType":"section","heading":"Relationship with other laws regulating personal information","content":"### sec.7 Relationship with other laws regulating personal information\n\nThis Act is intended to operate subject to the provisions of other Acts regulating—\nthe collection, storage, handling, accessing, amendment, management, transfer and use of personal information; or\nthe disclosure, within the meaning of section 23 , of personal information.\nWithout limiting subsection (1) , the operation of QPPs 6.1 and 6.2(d) and the permitted health situation mentioned in schedule 4 , section 5 do not override any law with respect to assisted and substituted decision-making, including, for example, the Guardianship and Administration Act 2000 and the Powers of Attorney Act 1998 .\ns 7 sub 2023 No. 32 s 10\n(sec.7-ssec.1) This Act is intended to operate subject to the provisions of other Acts regulating— the collection, storage, handling, accessing, amendment, management, transfer and use of personal information; or the disclosure, within the meaning of section 23 , of personal information.\n(sec.7-ssec.2) Without limiting subsection (1) , the operation of QPPs 6.1 and 6.2(d) and the permitted health situation mentioned in schedule 4 , section 5 do not override any law with respect to assisted and substituted decision-making, including, for example, the Guardianship and Administration Act 2000 and the Powers of Attorney Act 1998 .\n- (a) the collection, storage, handling, accessing, amendment, management, transfer and use of personal information; or\n- (b) the disclosure, within the meaning of section 23 , of personal information.","sortOrder":7},{"sectionNumber":"sec.8","sectionType":"section","heading":"Relationship with other Acts regulating disposal of information","content":"### sec.8 Relationship with other Acts regulating disposal of information\n\nThis Act does not affect the provisions of other Acts regulating the disposal of information (however described).\ns 8 amd 2023 No. 33 s 107 sch 5","sortOrder":8},{"sectionNumber":"sec.9","sectionType":"section","heading":null,"content":"### Section sec.9\n\ns 9 om 2023 No. 32 s 11","sortOrder":9},{"sectionNumber":"sec.10","sectionType":"section","heading":"Act binds State","content":"### sec.10 Act binds State\n\nThis Act binds the State.","sortOrder":10},{"sectionNumber":"ch.1-pt.2","sectionType":"part","heading":"Interpretation","content":"# Interpretation","sortOrder":11},{"sectionNumber":"sec.11","sectionType":"section","heading":"Definitions","content":"### sec.11 Definitions\n\nThe dictionary in schedule 5 defines particular words used in this Act.","sortOrder":12},{"sectionNumber":"sec.12","sectionType":"section","heading":"Meaning of personal information","content":"### sec.12 Meaning of personal information\n\nPersonal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—\nwhether the information or opinion is true or not; and\nwhether the information or opinion is recorded in a material form or not.\ns 12 sub 2023 No. 32 s 12\n- (a) whether the information or opinion is true or not; and\n- (b) whether the information or opinion is recorded in a material form or not.","sortOrder":13},{"sectionNumber":"sec.13","sectionType":"section","heading":"Meaning of held or holds in relation to personal information","content":"### sec.13 Meaning of held or holds in relation to personal information\n\nPersonal information is held by a relevant entity, or the entity holds personal information, if the personal information is contained in a document in the possession, or under the control, of the relevant entity.\ns 13 sub 2023 No. 32 s 12","sortOrder":14},{"sectionNumber":"sec.14","sectionType":"section","heading":null,"content":"### Section sec.14\n\ns 14 om 2023 No. 32 s 12","sortOrder":15},{"sectionNumber":"sec.15","sectionType":"section","heading":"Meaning of document","content":"### sec.15 Meaning of document\n\nIn this Act, a document does not include a document to which the privacy principle requirements do not apply.\ns 15 sub 2023 No. 32 s 13","sortOrder":16},{"sectionNumber":"sec.16","sectionType":"section","heading":"Meaning of document to which the privacy principle requirements do not apply","content":"### sec.16 Meaning of document to which the privacy principle requirements do not apply\n\nIn this Act, a document to which the privacy principle requirements do not apply means a document mentioned in schedule 1 .\ns 16 sub 2023 No. 32 s 14","sortOrder":17},{"sectionNumber":"sec.17","sectionType":"section","heading":null,"content":"### Section sec.17\n\ns 17 om 2023 No. 32 s 15","sortOrder":18},{"sectionNumber":"sec.18","sectionType":"section","heading":"Meaning of agency","content":"### sec.18 Meaning of agency\n\nIn this Act, an agency means—\na Minister; or\na department; or\na local government; or\na public authority.\nHowever, in this Act, agency does not include an excluded entity.\nFor this Act—\na board, council, committee, subcommittee or other body established by government to help, or to perform functions connected with, an agency is not a separate agency, but is taken to be comprised within the agency; and\na reference to an agency includes a reference to a body that is taken to be comprised within the agency; and\na reference to local government includes a reference to the Wide Bay Water Corporation.\nIn this section—\nexcluded entity means—\nan entity mentioned in schedule 2 , part 1 ; or\nan entity mentioned in schedule 2 , part 2 in relation to the function mentioned in that part.\ns 18 amd 2023 No. 32 s 16\n(sec.18-ssec.1) In this Act, an agency means— a Minister; or a department; or a local government; or a public authority.\n(sec.18-ssec.2) However, in this Act, agency does not include an excluded entity.\n(sec.18-ssec.3) For this Act— a board, council, committee, subcommittee or other body established by government to help, or to perform functions connected with, an agency is not a separate agency, but is taken to be comprised within the agency; and a reference to an agency includes a reference to a body that is taken to be comprised within the agency; and a reference to local government includes a reference to the Wide Bay Water Corporation.\n(sec.18-ssec.4) In this section— excluded entity means— an entity mentioned in schedule 2 , part 1 ; or an entity mentioned in schedule 2 , part 2 in relation to the function mentioned in that part.\n- (a) a Minister; or\n- (b) a department; or\n- (c) a local government; or\n- (d) a public authority.\n- (a) a board, council, committee, subcommittee or other body established by government to help, or to perform functions connected with, an agency is not a separate agency, but is taken to be comprised within the agency; and\n- (b) a reference to an agency includes a reference to a body that is taken to be comprised within the agency; and\n- (c) a reference to local government includes a reference to the Wide Bay Water Corporation.\n- (a) an entity mentioned in schedule 2 , part 1 ; or\n- (b) an entity mentioned in schedule 2 , part 2 in relation to the function mentioned in that part.","sortOrder":19},{"sectionNumber":"sec.19","sectionType":"section","heading":null,"content":"### Section sec.19\n\ns 19 om 2023 No. 32 s 17","sortOrder":20},{"sectionNumber":"sec.20","sectionType":"section","heading":"Special provision about application of Act to a Minister","content":"### sec.20 Special provision about application of Act to a Minister\n\nIf a provision of this Act applies to a Minister, the provision applies only for acts done, or practices engaged in, as the case may be, in the Minister’s capacity as a Minister in relation to the affairs of an agency administered by the Minister.\ns 20 amd 2023 No. 32 s 18","sortOrder":21},{"sectionNumber":"sec.21","sectionType":"section","heading":"Meaning of public authority","content":"### sec.21 Meaning of public authority\n\nIn this Act, public authority means any of the following entities—\nUnder the Acts Interpretation Act 1954 , schedule 1 —\nentity includes a person and an unincorporated body.\nan entity—\nestablished for a public purpose by an Act; or\nestablished by government under an Act for a public purpose, whether or not the public purpose is stated in the Act ;\nan entity created by the Governor in Council or a Minister;\nanother entity declared by regulation to be a public authority for this Act, being an entity—\nsupported directly or indirectly by government funds or other government assistance; or\nover which government is in a position to exercise control; or\nestablished under an Act; or\ngiven public functions under an Act;\nsubject to subsection (4) , a person holding an office established under an Act;\na person holding an appointment—\nmade by the Governor in Council or Minister otherwise than under an Act; and\ndeclared by regulation to be an appointment the holder of which is a public authority for this Act.\nFor subsection (1) (c) , an entity may be declared by regulation to be a public authority for this Act in relation to only a part of the entity’s functions.\nA prescribed entity is not a public authority in relation to documents received, or created, by it in performing a function other than the public function given under an Act.\nA person is not a public authority merely because the person holds—\nan office the duties of which are performed as duties of employment as an agency’s officer; or\nan office of member of a body; or\nan office established under an Act for the purposes of an agency.\nIn this section—\nprescribed entity means an entity that is a public authority only because it is given public functions under an Act and is declared by regulation to be a public authority for this Act.\ns 21 amd 2013 No. 39 s 110 (1) sch 3 pt 1 ; 2023 No. 32 s 19\n(sec.21-ssec.1) In this Act, public authority means any of the following entities— Under the Acts Interpretation Act 1954 , schedule 1 — entity includes a person and an unincorporated body. an entity— established for a public purpose by an Act; or established by government under an Act for a public purpose, whether or not the public purpose is stated in the Act ; an entity created by the Governor in Council or a Minister; another entity declared by regulation to be a public authority for this Act, being an entity— supported directly or indirectly by government funds or other government assistance; or over which government is in a position to exercise control; or established under an Act; or given public functions under an Act; subject to subsection (4) , a person holding an office established under an Act; a person holding an appointment— made by the Governor in Council or Minister otherwise than under an Act; and declared by regulation to be an appointment the holder of which is a public authority for this Act.\n(sec.21-ssec.2) For subsection (1) (c) , an entity may be declared by regulation to be a public authority for this Act in relation to only a part of the entity’s functions.\n(sec.21-ssec.3) A prescribed entity is not a public authority in relation to documents received, or created, by it in performing a function other than the public function given under an Act.\n(sec.21-ssec.4) A person is not a public authority merely because the person holds— an office the duties of which are performed as duties of employment as an agency’s officer; or an office of member of a body; or an office established under an Act for the purposes of an agency.\n(sec.21-ssec.5) In this section— prescribed entity means an entity that is a public authority only because it is given public functions under an Act and is declared by regulation to be a public authority for this Act.\n- (a) an entity— (i) established for a public purpose by an Act; or (ii) established by government under an Act for a public purpose, whether or not the public purpose is stated in the Act ;\n- (i) established for a public purpose by an Act; or\n- (ii) established by government under an Act for a public purpose, whether or not the public purpose is stated in the Act ;\n- (b) an entity created by the Governor in Council or a Minister;\n- (c) another entity declared by regulation to be a public authority for this Act, being an entity— (i) supported directly or indirectly by government funds or other government assistance; or (ii) over which government is in a position to exercise control; or (iii) established under an Act; or (iv) given public functions under an Act;\n- (i) supported directly or indirectly by government funds or other government assistance; or\n- (ii) over which government is in a position to exercise control; or\n- (iii) established under an Act; or\n- (iv) given public functions under an Act;\n- (d) subject to subsection (4) , a person holding an office established under an Act;\n- (e) a person holding an appointment— (i) made by the Governor in Council or Minister otherwise than under an Act; and (ii) declared by regulation to be an appointment the holder of which is a public authority for this Act.\n- (i) made by the Governor in Council or Minister otherwise than under an Act; and\n- (ii) declared by regulation to be an appointment the holder of which is a public authority for this Act.\n- (i) established for a public purpose by an Act; or\n- (ii) established by government under an Act for a public purpose, whether or not the public purpose is stated in the Act ;\n- (i) supported directly or indirectly by government funds or other government assistance; or\n- (ii) over which government is in a position to exercise control; or\n- (iii) established under an Act; or\n- (iv) given public functions under an Act;\n- (i) made by the Governor in Council or Minister otherwise than under an Act; and\n- (ii) declared by regulation to be an appointment the holder of which is a public authority for this Act.\n- (a) an office the duties of which are performed as duties of employment as an agency’s officer; or\n- (b) an office of member of a body; or\n- (c) an office established under an Act for the purposes of an agency.","sortOrder":22},{"sectionNumber":"sec.22","sectionType":"section","heading":null,"content":"### Section sec.22\n\ns 22 om 2023 No. 32 s 141 s ch 1 pt 2","sortOrder":23},{"sectionNumber":"sec.23","sectionType":"section","heading":"What it means to disclose personal information and to use personal information","content":"### sec.23 What it means to disclose personal information and to use personal information\n\nAn entity (the first entity ) discloses personal information to another entity (the second entity ) if—\nthe second entity does not know the personal information, and is not in a position to be able to find it out; and\nthe first entity gives the second entity the personal information, or places it in a position to be able to find it out; and\nthe first entity ceases to have control over the second entity in relation to who will know the personal information in the future.\nAn entity uses personal information if it—\nmanipulates, searches or otherwise deals with the information; or\ntakes the information into account in the making of a decision; or\ntransfers the information from a part of the entity having particular functions to a part of the entity having different functions.\nSubsection (2) does not limit what actions may be use of the personal information.\nHowever, use of the personal information does not include the action of disclosing the personal information to another entity.\ns 23 amd 2023 No. 32 s 20\n(sec.23-ssec.1) An entity (the first entity ) discloses personal information to another entity (the second entity ) if— the second entity does not know the personal information, and is not in a position to be able to find it out; and the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and the first entity ceases to have control over the second entity in relation to who will know the personal information in the future.\n(sec.23-ssec.2) An entity uses personal information if it— manipulates, searches or otherwise deals with the information; or takes the information into account in the making of a decision; or transfers the information from a part of the entity having particular functions to a part of the entity having different functions.\n(sec.23-ssec.3) Subsection (2) does not limit what actions may be use of the personal information.\n(sec.23-ssec.4) However, use of the personal information does not include the action of disclosing the personal information to another entity.\n- (a) the second entity does not know the personal information, and is not in a position to be able to find it out; and\n- (b) the first entity gives the second entity the personal information, or places it in a position to be able to find it out; and\n- (c) the first entity ceases to have control over the second entity in relation to who will know the personal information in the future.\n- (a) manipulates, searches or otherwise deals with the information; or\n- (b) takes the information into account in the making of a decision; or\n- (c) transfers the information from a part of the entity having particular functions to a part of the entity having different functions.","sortOrder":24},{"sectionNumber":"sec.24","sectionType":"section","heading":"References to doing an act or engaging in a practice","content":"### sec.24 References to doing an act or engaging in a practice\n\nIn this Act, a reference to doing an act or engaging in a practice in contravention of a requirement includes a reference to a failure to act or a failure to engage in a practice in contravention of the requirement.\ns 24 sub 2023 No. 32 s 21","sortOrder":25},{"sectionNumber":"sec.25","sectionType":"section","heading":null,"content":"### Section sec.25\n\ns 25 om 2023 No. 32 s 21","sortOrder":26},{"sectionNumber":"ch.2-pt.1","sectionType":"part","heading":"Compliance with QPPs by agencies","content":"# Compliance with QPPs by agencies","sortOrder":27},{"sectionNumber":"sec.26","sectionType":"section","heading":"Queensland privacy principles","content":"### sec.26 Queensland privacy principles\n\nEach Queensland privacy principle ( QPP ) is set out in schedule 3 .\nIn this Act, a reference to a QPP followed by a number is a reference to the provision of schedule 3 having that number.\ns 26 sub 2023 No. 32 s 22\n(sec.26-ssec.1) Each Queensland privacy principle ( QPP ) is set out in schedule 3 .\n(sec.26-ssec.2) In this Act, a reference to a QPP followed by a number is a reference to the provision of schedule 3 having that number.","sortOrder":28},{"sectionNumber":"sec.27","sectionType":"section","heading":"Agencies to comply with QPPs","content":"### sec.27 Agencies to comply with QPPs\n\nAn agency must comply with the QPPs.\nFor the application of the Act in relation to a Minister, see also section 20 .\nWithout limiting subsection (1) , the agency must not do an act or engage in a practice that contravenes, or is otherwise inconsistent with, a requirement of a QPP.\nAn act or practice mentioned in subsection (2) includes any act or practice relating to the agency’s collection, storage, handling, accessing, amendment, management, transfer, use or disclosure of personal information.\ns 27 amd 2011 No. 32 s 332 sch 1 pt 2 (amd 2012 No. 9 s 47 ); 2023 No. 32 s 23\n(sec.27-ssec.1) An agency must comply with the QPPs. For the application of the Act in relation to a Minister, see also section 20 .\n(sec.27-ssec.2) Without limiting subsection (1) , the agency must not do an act or engage in a practice that contravenes, or is otherwise inconsistent with, a requirement of a QPP.\n(sec.27-ssec.3) An act or practice mentioned in subsection (2) includes any act or practice relating to the agency’s collection, storage, handling, accessing, amendment, management, transfer, use or disclosure of personal information.","sortOrder":29},{"sectionNumber":"sec.28","sectionType":"section","heading":"Noncompliance with particular QPPs","content":"### sec.28 Noncompliance with particular QPPs\n\nAn agency is not required to comply with a prescribed QPP in relation to an individual’s personal information if the information is related to or connected with personal information of the individual that has previously been published, or given for the purpose of publication, by the individual.\nIn this section—\nprescribed QPP means QPP 6 or 10.2.\npublish , for personal information, means publish the information by way of television, newspaper, radio, internet or other form of communication.\ns 28 amd 2023 No. 32 s 24\n(sec.28-ssec.1) An agency is not required to comply with a prescribed QPP in relation to an individual’s personal information if the information is related to or connected with personal information of the individual that has previously been published, or given for the purpose of publication, by the individual.\n(sec.28-ssec.2) In this section— prescribed QPP means QPP 6 or 10.2. publish , for personal information, means publish the information by way of television, newspaper, radio, internet or other form of communication.","sortOrder":30},{"sectionNumber":"sec.29","sectionType":"section","heading":"Special provision for law enforcement agencies","content":"### sec.29 Special provision for law enforcement agencies\n\nA law enforcement agency is not subject to QPP 3.6, 5, 6 or 10.1, but only if the law enforcement agency is satisfied on reasonable grounds that noncompliance with the QPP is necessary for—\nif the enforcement agency is the Queensland Police Service—the performance of its activities related to the enforcement of laws; or\nif the enforcement agency is the Crime and Corruption Commission—the performance of its activities related to the enforcement of laws and its intelligence functions; or\nif the enforcement agency is the community safety department—the containment, supervision and rehabilitation of offenders under the Corrective Services Act 2006 and the supervision of prisoners subject to supervision orders or interim supervision orders under the Dangerous Prisoners (Sexual Offenders) Act 2003 ; or\nif the enforcement agency is any other law enforcement agency—the performance of its responsibility mentioned in schedule 5 , definition law enforcement agency , paragraph (b) (iv) , including the conduct of proceedings started or about to be started in a court or tribunal in relation to the responsibility.\nIn this section—\nintelligence functions means the functions mentioned in the Crime and Corruption Act 2001 , section 53 .\ns 29 amd 2011 No. 45 s 233 ; 2014 No. 21 s 94 (2) sch 2 ; 2023 No. 32 s 25\n(sec.29-ssec.1) A law enforcement agency is not subject to QPP 3.6, 5, 6 or 10.1, but only if the law enforcement agency is satisfied on reasonable grounds that noncompliance with the QPP is necessary for— if the enforcement agency is the Queensland Police Service—the performance of its activities related to the enforcement of laws; or if the enforcement agency is the Crime and Corruption Commission—the performance of its activities related to the enforcement of laws and its intelligence functions; or if the enforcement agency is the community safety department—the containment, supervision and rehabilitation of offenders under the Corrective Services Act 2006 and the supervision of prisoners subject to supervision orders or interim supervision orders under the Dangerous Prisoners (Sexual Offenders) Act 2003 ; or if the enforcement agency is any other law enforcement agency—the performance of its responsibility mentioned in schedule 5 , definition law enforcement agency , paragraph (b) (iv) , including the conduct of proceedings started or about to be started in a court or tribunal in relation to the responsibility.\n(sec.29-ssec.2) In this section— intelligence functions means the functions mentioned in the Crime and Corruption Act 2001 , section 53 .\n- (a) if the enforcement agency is the Queensland Police Service—the performance of its activities related to the enforcement of laws; or\n- (b) if the enforcement agency is the Crime and Corruption Commission—the performance of its activities related to the enforcement of laws and its intelligence functions; or\n- (c) if the enforcement agency is the community safety department—the containment, supervision and rehabilitation of offenders under the Corrective Services Act 2006 and the supervision of prisoners subject to supervision orders or interim supervision orders under the Dangerous Prisoners (Sexual Offenders) Act 2003 ; or\n- (d) if the enforcement agency is any other law enforcement agency—the performance of its responsibility mentioned in schedule 5 , definition law enforcement agency , paragraph (b) (iv) , including the conduct of proceedings started or about to be started in a court or tribunal in relation to the responsibility.","sortOrder":31},{"sectionNumber":"ch.2-pt.2","sectionType":"part","heading":"Disclosure of personal information outside Australia","content":"# Disclosure of personal information outside Australia","sortOrder":32},{"sectionNumber":"sec.30","sectionType":"section","heading":null,"content":"### Section sec.30\n\ns 30 amd 2011 No. 32 s 332 sch 1 pt 2 (amd 2012 No. 9 s 47 )\nom 2023 No. 32 s 26","sortOrder":33},{"sectionNumber":"sec.31","sectionType":"section","heading":null,"content":"### Section sec.31\n\ns 31 amd 2011 No. 32 s 332 sch 1 pt 2 (amd 2012 No. 9 s 47 )\nom 2023 No. 32 s 26","sortOrder":34},{"sectionNumber":"sec.32","sectionType":"section","heading":null,"content":"### Section sec.32\n\ns 32 amd 2011 No. 32 s 332 sch 1 pt 2 (amd 2012 No. 9 s 47 )\nom 2023 No. 32 s 26","sortOrder":35},{"sectionNumber":"sec.33","sectionType":"section","heading":"Disclosure of personal information outside Australia","content":"### sec.33 Disclosure of personal information outside Australia\n\nAn agency may disclose an individual’s personal information to an entity outside Australia only if—\nthe individual agrees to the disclosure; or\nthe disclosure is authorised or required under a law; or\nthe agency is satisfied on reasonable grounds that the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare; or\n2 or more of the following apply—\nthe agency reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract that effectively upholds principles for the fair handling of personal information that are substantially similar to the QPPs;\nthe disclosure is necessary for the performance of the agency’s functions in relation to the individual;\nthe disclosure is for the benefit of the individual but it is not practicable to seek the agreement of the individual, and if it were practicable to seek the agreement of the individual, the individual would be likely to give the agreement;\nthe agency has taken reasonable steps to ensure that the personal information it discloses will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the QPPs.\ns 33 amd 2011 No. 32 s 332 sch 1 pt 2 (amd 2012 No. 9 s 47 ); 2023 No. 32 s 28\n- (a) the individual agrees to the disclosure; or\n- (b) the disclosure is authorised or required under a law; or\n- (c) the agency is satisfied on reasonable grounds that the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare; or\n- (d) 2 or more of the following apply— (i) the agency reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract that effectively upholds principles for the fair handling of personal information that are substantially similar to the QPPs; (ii) the disclosure is necessary for the performance of the agency’s functions in relation to the individual; (iii) the disclosure is for the benefit of the individual but it is not practicable to seek the agreement of the individual, and if it were practicable to seek the agreement of the individual, the individual would be likely to give the agreement; (iv) the agency has taken reasonable steps to ensure that the personal information it discloses will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the QPPs.\n- (i) the agency reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract that effectively upholds principles for the fair handling of personal information that are substantially similar to the QPPs;\n- (ii) the disclosure is necessary for the performance of the agency’s functions in relation to the individual;\n- (iii) the disclosure is for the benefit of the individual but it is not practicable to seek the agreement of the individual, and if it were practicable to seek the agreement of the individual, the individual would be likely to give the agreement;\n- (iv) the agency has taken reasonable steps to ensure that the personal information it discloses will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the QPPs.\n- (i) the agency reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract that effectively upholds principles for the fair handling of personal information that are substantially similar to the QPPs;\n- (ii) the disclosure is necessary for the performance of the agency’s functions in relation to the individual;\n- (iii) the disclosure is for the benefit of the individual but it is not practicable to seek the agreement of the individual, and if it were practicable to seek the agreement of the individual, the individual would be likely to give the agreement;\n- (iv) the agency has taken reasonable steps to ensure that the personal information it discloses will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the QPPs.","sortOrder":36},{"sectionNumber":"ch.2-pt.3","sectionType":"part","heading":"Compliance with parts 1 and 2 and s 41 by contracted service providers","content":"# Compliance with parts 1 and 2 and s 41 by contracted service providers","sortOrder":37},{"sectionNumber":"sec.34","sectionType":"section","heading":"Meaning of service arrangement","content":"### sec.34 Meaning of service arrangement\n\nIn this Act, a service arrangement is a contract or other arrangement entered into after the commencement of this section under which an entity other than an agency (the contracted service provider ) agrees or otherwise arranges with an agency (the contracting agency ) to provide services.\nFor subsection (1) —\nthe services must be for the purposes of the performance of 1 or more of the contracting agency’s functions; and\nthe services must be provided either—\ndirectly to the contracting agency; or\nto another entity on the contracting agency’s behalf; and\nthe contracted service provider must not be in the capacity of employee of the contracting agency in providing the services.\n(sec.34-ssec.1) In this Act, a service arrangement is a contract or other arrangement entered into after the commencement of this section under which an entity other than an agency (the contracted service provider ) agrees or otherwise arranges with an agency (the contracting agency ) to provide services.\n(sec.34-ssec.2) For subsection (1) — the services must be for the purposes of the performance of 1 or more of the contracting agency’s functions; and the services must be provided either— directly to the contracting agency; or to another entity on the contracting agency’s behalf; and the contracted service provider must not be in the capacity of employee of the contracting agency in providing the services.\n- (a) the services must be for the purposes of the performance of 1 or more of the contracting agency’s functions; and\n- (b) the services must be provided either— (i) directly to the contracting agency; or (ii) to another entity on the contracting agency’s behalf; and\n- (i) directly to the contracting agency; or\n- (ii) to another entity on the contracting agency’s behalf; and\n- (c) the contracted service provider must not be in the capacity of employee of the contracting agency in providing the services.\n- (i) directly to the contracting agency; or\n- (ii) to another entity on the contracting agency’s behalf; and","sortOrder":38},{"sectionNumber":"sec.35","sectionType":"section","heading":"Binding a contracted service provider to privacy principle requirements","content":"### sec.35 Binding a contracted service provider to privacy principle requirements\n\nAn agency entering into a service arrangement must take all reasonable steps to ensure that the contracted service provider is required to comply with parts 1 and 2 and section 41 , as if it were the agency, in relation to the discharge of its obligations under the arrangement.\nHowever, the agency must comply with subsection (1) only if—\nthe contracted service provider will in any way deal with personal information for the contracting agency; or\nthe provision of services under the arrangement will involve—\nthe transfer of personal information to the contracting agency; or\nthe provision of services to a third party for the contracting agency.\nThe agency is not required to comply with subsection (1) if—\nthe contracted service provider is to receive funding from the contracting agency; and\nthe contracted service provider will not collect personal information for the contracting agency; and\nthe contracted service provider will not receive any personal information from the contracting agency for the purposes of discharging its obligations; and\nthe contracted service provider will not be required to give the contracting agency any personal information it collects in discharging its obligations.\nSubsections (1) to (3) are not intended to limit what may be provided for in a service arrangement about the contracted service provider’s collection, storage, handling, accessing, amendment, management, transfer, use or disclosure of personal information, whether or not the contracted service provider is a bound contracted service provider.\ns 35 amd 2023 No. 32 s 30\n(sec.35-ssec.1) An agency entering into a service arrangement must take all reasonable steps to ensure that the contracted service provider is required to comply with parts 1 and 2 and section 41 , as if it were the agency, in relation to the discharge of its obligations under the arrangement.\n(sec.35-ssec.2) However, the agency must comply with subsection (1) only if— the contracted service provider will in any way deal with personal information for the contracting agency; or the provision of services under the arrangement will involve— the transfer of personal information to the contracting agency; or the provision of services to a third party for the contracting agency.\n(sec.35-ssec.3) The agency is not required to comply with subsection (1) if— the contracted service provider is to receive funding from the contracting agency; and the contracted service provider will not collect personal information for the contracting agency; and the contracted service provider will not receive any personal information from the contracting agency for the purposes of discharging its obligations; and the contracted service provider will not be required to give the contracting agency any personal information it collects in discharging its obligations.\n(sec.35-ssec.4) Subsections (1) to (3) are not intended to limit what may be provided for in a service arrangement about the contracted service provider’s collection, storage, handling, accessing, amendment, management, transfer, use or disclosure of personal information, whether or not the contracted service provider is a bound contracted service provider.\n- (a) the contracted service provider will in any way deal with personal information for the contracting agency; or\n- (b) the provision of services under the arrangement will involve— (i) the transfer of personal information to the contracting agency; or (ii) the provision of services to a third party for the contracting agency.\n- (i) the transfer of personal information to the contracting agency; or\n- (ii) the provision of services to a third party for the contracting agency.\n- (i) the transfer of personal information to the contracting agency; or\n- (ii) the provision of services to a third party for the contracting agency.\n- (a) the contracted service provider is to receive funding from the contracting agency; and\n- (b) the contracted service provider will not collect personal information for the contracting agency; and\n- (c) the contracted service provider will not receive any personal information from the contracting agency for the purposes of discharging its obligations; and\n- (d) the contracted service provider will not be required to give the contracting agency any personal information it collects in discharging its obligations.","sortOrder":39},{"sectionNumber":"sec.36","sectionType":"section","heading":"Bound contracted service provider to comply with privacy principle requirements","content":"### sec.36 Bound contracted service provider to comply with privacy principle requirements\n\nA bound contracted service provider under a service arrangement must comply with parts 1 and 2 and section 41 in relation to the discharge of its obligations under the arrangement as if it were the entity that is the contracting agency.\nThe requirement to comply under subsection (1) continues to apply to the bound contracted service provider in relation to personal information it continues to hold after its obligations under the service arrangement otherwise end.\nA bound contracted service provider’s compliance with the privacy principle requirements may be enforced under this Act as if it were an agency.\nSubsections (1) to (3) are not intended to prevent a service arrangement from including a requirement for the contracted service provider to comply with all or part of the privacy principles even though this part does not require that the service arrangement include the requirement.\ns 36 amd 2023 No. 32 ss 31 , 141 s ch 1 pt 2 amdt 4 (amdt could not be given effect)\n(sec.36-ssec.1) A bound contracted service provider under a service arrangement must comply with parts 1 and 2 and section 41 in relation to the discharge of its obligations under the arrangement as if it were the entity that is the contracting agency.\n(sec.36-ssec.2) The requirement to comply under subsection (1) continues to apply to the bound contracted service provider in relation to personal information it continues to hold after its obligations under the service arrangement otherwise end.\n(sec.36-ssec.3) A bound contracted service provider’s compliance with the privacy principle requirements may be enforced under this Act as if it were an agency.\n(sec.36-ssec.4) Subsections (1) to (3) are not intended to prevent a service arrangement from including a requirement for the contracted service provider to comply with all or part of the privacy principles even though this part does not require that the service arrangement include the requirement.","sortOrder":40},{"sectionNumber":"sec.37","sectionType":"section","heading":"Contracting agency to comply with privacy principles if contracted service provider not bound","content":"### sec.37 Contracting agency to comply with privacy principles if contracted service provider not bound\n\nThis section applies if a contracted service provider under a service arrangement is not a bound contracted service provider because the contracting agency under the service arrangement did not take the steps required of it under section 35 .\nThe obligations that would attach to the contracted service provider if it were a bound contracted service provider attach instead to the contracting agency under the arrangement.\n(sec.37-ssec.1) This section applies if a contracted service provider under a service arrangement is not a bound contracted service provider because the contracting agency under the service arrangement did not take the steps required of it under section 35 .\n(sec.37-ssec.2) The obligations that would attach to the contracted service provider if it were a bound contracted service provider attach instead to the contracting agency under the arrangement.","sortOrder":41},{"sectionNumber":"ch.2-pt.5","sectionType":"part","heading":"Provision of information to Ministers","content":"# Provision of information to Ministers","sortOrder":42},{"sectionNumber":"sec.38","sectionType":"section","heading":"Personal information relevant to portfolio responsibilities","content":"### sec.38 Personal information relevant to portfolio responsibilities\n\nAn agency does not contravene the requirement under this Act that it comply with the QPPs only because it gives personal information to a Minister to inform the Minister about matters relevant to the Minister’s responsibilities in relation to the agency.\ns 38 amd 2023 No. 32 s 32","sortOrder":43},{"sectionNumber":"ch.2-pt.6","sectionType":"part","heading":"Miscellaneous","content":"# Miscellaneous","sortOrder":44},{"sectionNumber":"sec.39","sectionType":"section","heading":"Nature of rights created by pts 1 to 3","content":"### sec.39 Nature of rights created by pts 1 to 3\n\nExcept as provided for under the procedures set out in this Act, an obligation imposed on an entity under part 1 , 2 or 3 does not—\ngive rise to any civil cause of action; or\noperate to create in any person any legal right enforceable in a court or tribunal.\nSubsection (1) does not limit chapter 5 .\n(sec.39-ssec.1) Except as provided for under the procedures set out in this Act, an obligation imposed on an entity under part 1 , 2 or 3 does not— give rise to any civil cause of action; or operate to create in any person any legal right enforceable in a court or tribunal.\n(sec.39-ssec.2) Subsection (1) does not limit chapter 5 .\n- (a) give rise to any civil cause of action; or\n- (b) operate to create in any person any legal right enforceable in a court or tribunal.","sortOrder":45},{"sectionNumber":"ch.3-pt.1","sectionType":"part","heading":"QPP codes","content":"# QPP codes","sortOrder":46},{"sectionNumber":"sec.40","sectionType":"section","heading":"QPP codes","content":"### sec.40 QPP codes\n\nA QPP code is a written code of practice about information privacy, approved by regulation under section 43 , that states—\nhow 1 or more of the QPPs are to be applied or complied with; and\nthe agencies that are bound by the code, or a way of determining the agencies that are bound by the code.\nA QPP code may also impose additional requirements to those imposed by a QPP, to the extent the additional requirements are not inconsistent with a QPP.\nA QPP code expires on the earlier of the following days—\nthe day that is 5 years after the day the QPP code is approved under section 43 ;\nif the QPP code states an expiry day—the stated day.\ns 40 sub 2023 No. 32 s 33\n(sec.40-ssec.1) A QPP code is a written code of practice about information privacy, approved by regulation under section 43 , that states— how 1 or more of the QPPs are to be applied or complied with; and the agencies that are bound by the code, or a way of determining the agencies that are bound by the code.\n(sec.40-ssec.2) A QPP code may also impose additional requirements to those imposed by a QPP, to the extent the additional requirements are not inconsistent with a QPP.\n(sec.40-ssec.3) A QPP code expires on the earlier of the following days— the day that is 5 years after the day the QPP code is approved under section 43 ; if the QPP code states an expiry day—the stated day.\n- (a) how 1 or more of the QPPs are to be applied or complied with; and\n- (b) the agencies that are bound by the code, or a way of determining the agencies that are bound by the code.\n- (a) the day that is 5 years after the day the QPP code is approved under section 43 ;\n- (b) if the QPP code states an expiry day—the stated day.","sortOrder":47},{"sectionNumber":"sec.41","sectionType":"section","heading":"Agencies must comply with QPP codes","content":"### sec.41 Agencies must comply with QPP codes\n\nAn agency must not do an act, or engage in a practice, that contravenes a QPP code that is in effect and binds the agency.\ns 41 sub 2023 No. 32 s 33","sortOrder":48},{"sectionNumber":"sec.42","sectionType":"section","heading":"Preparing QPP codes","content":"### sec.42 Preparing QPP codes\n\nThe information commissioner or an agency may prepare a draft QPP code or draft amendment of a QPP code and submit the draft to the Minister for endorsement.\nHowever, before the information commissioner or agency submits the draft code or amendment to the Minister, the commissioner or agency must—\npublish the draft on an accessible agency website; and\ninvite the public to make submissions to the commissioner or agency about the draft within a stated period of at least 20 business days; and\nconsider any submissions made within the stated period.\nAn agency must, immediately after publishing a draft QPP code or draft amendment of a QPP code under subsection (2) , notify the information commissioner of the publication.\ns 42 amd 2022 No. 34 s 365 sch 3\nsub 2023 No. 32 s 33\n(sec.42-ssec.1) The information commissioner or an agency may prepare a draft QPP code or draft amendment of a QPP code and submit the draft to the Minister for endorsement.\n(sec.42-ssec.2) However, before the information commissioner or agency submits the draft code or amendment to the Minister, the commissioner or agency must— publish the draft on an accessible agency website; and invite the public to make submissions to the commissioner or agency about the draft within a stated period of at least 20 business days; and consider any submissions made within the stated period.\n(sec.42-ssec.3) An agency must, immediately after publishing a draft QPP code or draft amendment of a QPP code under subsection (2) , notify the information commissioner of the publication.\n- (a) publish the draft on an accessible agency website; and\n- (b) invite the public to make submissions to the commissioner or agency about the draft within a stated period of at least 20 business days; and\n- (c) consider any submissions made within the stated period.","sortOrder":49},{"sectionNumber":"sec.43","sectionType":"section","heading":"Approval of QPP codes or amendments of QPP codes","content":"### sec.43 Approval of QPP codes or amendments of QPP codes\n\nThis section applies if a draft QPP code or draft amendment of a QPP code is submitted to the Minister under section 42 .\nIf the draft is submitted by an agency, the Minister must ask the information commissioner for submissions about the draft.\nThe Minister must decide to endorse or refuse to endorse the draft, having regard to—\nany submissions made by the information commissioner; and\nany other relevant matter.\nIf the Minister endorses the draft, the Minister must recommend to the Governor in Council the making of a regulation approving the QPP code or amended QPP code.\nThe QPP code or amended QPP code—\ndoes not take effect unless it is approved by regulation; and\ntakes effect on the day prescribed by regulation for the code or amended code.\nThe information commissioner must, as soon as practicable after a regulation approving a QPP code or amended QPP code is made, publish the code or amended code on the commissioner’s website.\ns 43 amd 2012 No. 6 s 27 sch amdts 2(1)(b), (2)\nsub 2023 No. 32 s 33\n(sec.43-ssec.1) This section applies if a draft QPP code or draft amendment of a QPP code is submitted to the Minister under section 42 .\n(sec.43-ssec.2) If the draft is submitted by an agency, the Minister must ask the information commissioner for submissions about the draft.\n(sec.43-ssec.3) The Minister must decide to endorse or refuse to endorse the draft, having regard to— any submissions made by the information commissioner; and any other relevant matter.\n(sec.43-ssec.4) If the Minister endorses the draft, the Minister must recommend to the Governor in Council the making of a regulation approving the QPP code or amended QPP code.\n(sec.43-ssec.5) The QPP code or amended QPP code— does not take effect unless it is approved by regulation; and takes effect on the day prescribed by regulation for the code or amended code.\n(sec.43-ssec.6) The information commissioner must, as soon as practicable after a regulation approving a QPP code or amended QPP code is made, publish the code or amended code on the commissioner’s website.\n- (a) any submissions made by the information commissioner; and\n- (b) any other relevant matter.\n- (a) does not take effect unless it is approved by regulation; and\n- (b) takes effect on the day prescribed by regulation for the code or amended code.","sortOrder":50},{"sectionNumber":"ch.3-pt.2","sectionType":"part","heading":"Guideline for permitted general situations","content":"# Guideline for permitted general situations","sortOrder":51},{"sectionNumber":"sec.44","sectionType":"section","heading":"Preparing guideline","content":"### sec.44 Preparing guideline\n\nThe information commissioner may—\nprepare a draft guideline about the collection, use or disclosure of personal information to assist an entity locate a person who has been reported as missing; and\nsubmit the draft to the Minister for endorsement.\nHowever, before the information commissioner submits the draft guideline to the Minister, the commissioner must—\npublish the draft on the commissioner’s website; and\ninvite the public to make submissions to the commissioner about the draft within a stated period of at least 20 business days; and\nconsider any submissions made within the stated period.\ns 44 amd 2012 No. 6 s 27 sch amdts 2(1)(b), (2)\nsub 2023 No. 32 s 33\n(sec.44-ssec.1) The information commissioner may— prepare a draft guideline about the collection, use or disclosure of personal information to assist an entity locate a person who has been reported as missing; and submit the draft to the Minister for endorsement.\n(sec.44-ssec.2) However, before the information commissioner submits the draft guideline to the Minister, the commissioner must— publish the draft on the commissioner’s website; and invite the public to make submissions to the commissioner about the draft within a stated period of at least 20 business days; and consider any submissions made within the stated period.\n- (a) prepare a draft guideline about the collection, use or disclosure of personal information to assist an entity locate a person who has been reported as missing; and\n- (b) submit the draft to the Minister for endorsement.\n- (a) publish the draft on the commissioner’s website; and\n- (b) invite the public to make submissions to the commissioner about the draft within a stated period of at least 20 business days; and\n- (c) consider any submissions made within the stated period.","sortOrder":52},{"sectionNumber":"sec.45","sectionType":"section","heading":"Approval of guideline","content":"### sec.45 Approval of guideline\n\nThis section applies if a draft guideline is submitted to the Minister under section 44 .\nThe Minister must decide to endorse or refuse to endorse the draft.\nIf the Minister endorses the draft, the Minister must recommend to the Governor in Council the making of a regulation approving the guideline.\nThe guideline—\ndoes not take effect unless it is approved by regulation; and\ntakes effect on the day prescribed by regulation for the guideline; and\nexpires 5 years after the day mentioned in paragraph (b) .\nThe information commissioner must, as soon as practicable after a regulation approving a guideline is made under this section, publish the guideline on the commissioner’s website.\ns 45 amd 2017 No. 17 s 118\nsub 2023 No. 32 s 33\n(sec.45-ssec.1) This section applies if a draft guideline is submitted to the Minister under section 44 .\n(sec.45-ssec.2) The Minister must decide to endorse or refuse to endorse the draft.\n(sec.45-ssec.3) If the Minister endorses the draft, the Minister must recommend to the Governor in Council the making of a regulation approving the guideline.\n(sec.45-ssec.4) The guideline— does not take effect unless it is approved by regulation; and takes effect on the day prescribed by regulation for the guideline; and expires 5 years after the day mentioned in paragraph (b) .\n(sec.45-ssec.5) The information commissioner must, as soon as practicable after a regulation approving a guideline is made under this section, publish the guideline on the commissioner’s website.\n- (a) does not take effect unless it is approved by regulation; and\n- (b) takes effect on the day prescribed by regulation for the guideline; and\n- (c) expires 5 years after the day mentioned in paragraph (b) .","sortOrder":53},{"sectionNumber":"ch.3A-pt.1","sectionType":"part","heading":"Preliminary","content":"# Preliminary","sortOrder":54},{"sectionNumber":"sec.46","sectionType":"section","heading":"Application of chapter","content":"### sec.46 Application of chapter\n\nThis chapter applies in relation to personal information, other than personal information in a document to which the privacy principle requirements do not apply, held by an agency.\ns 46 sub 2023 No. 32 s 33","sortOrder":55},{"sectionNumber":"sec.47","sectionType":"section","heading":"Meaning of eligible data breach","content":"### sec.47 Meaning of eligible data breach\n\nAn eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if—\nboth of the following apply—\nthe data breach involves unauthorised access to, or unauthorised disclosure of, the personal information;\nthe access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or\nthe data breach involves the personal information being lost in circumstances where—\nunauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and\nif the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) .\nFor subsection (1) (a) (ii) and (b)(ii), the matters are—\nthe kind of personal information accessed, disclosed or lost; and\nthe sensitivity of the personal information; and\nwhether the personal information is protected by 1 or more security measures; and\nif the personal information is protected by 1 or more security measures—the likelihood that any of those security measures could be overcome; and\nthe persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and\nthe nature of the harm likely to result from the data breach; and\nany other relevant matter.\ns 47 sub 2023 No. 32 s 33\n(sec.47-ssec.1) An eligible data breach of an agency is a data breach of the agency that occurs in relation to personal information held by the agency if— both of the following apply— the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information; the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or the data breach involves the personal information being lost in circumstances where— unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) .\n(sec.47-ssec.2) For subsection (1) (a) (ii) and (b)(ii), the matters are— the kind of personal information accessed, disclosed or lost; and the sensitivity of the personal information; and whether the personal information is protected by 1 or more security measures; and if the personal information is protected by 1 or more security measures—the likelihood that any of those security measures could be overcome; and the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and the nature of the harm likely to result from the data breach; and any other relevant matter.\n- (a) both of the following apply— (i) the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information; (ii) the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or\n- (i) the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information;\n- (ii) the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or\n- (b) the data breach involves the personal information being lost in circumstances where— (i) unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and (ii) if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) .\n- (i) unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and\n- (ii) if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) .\n- (i) the data breach involves unauthorised access to, or unauthorised disclosure of, the personal information;\n- (ii) the access or disclosure is likely to result in serious harm to an individual (an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) ; or\n- (i) unauthorised access to, or unauthorised disclosure of, the personal information is likely to occur; and\n- (ii) if the unauthorised access to or unauthorised disclosure of the personal information were to occur, it would be likely to result in serious harm to an individual (also an affected individual ) to whom the personal information relates, having regard to the matters stated in subsection (2) .\n- (a) the kind of personal information accessed, disclosed or lost; and\n- (b) the sensitivity of the personal information; and\n- (c) whether the personal information is protected by 1 or more security measures; and\n- (d) if the personal information is protected by 1 or more security measures—the likelihood that any of those security measures could be overcome; and\n- (e) the persons, or the kinds of persons, who have obtained, or who could obtain, the personal information; and\n- (f) the nature of the harm likely to result from the data breach; and\n- (g) any other relevant matter.","sortOrder":56},{"sectionNumber":"ch.3A-pt.2","sectionType":"part","heading":"Assessment of suspected eligible data breaches","content":"# Assessment of suspected eligible data breaches","sortOrder":57},{"sectionNumber":"sec.48","sectionType":"section","heading":"Obligations of agencies in relation to data breaches","content":"### sec.48 Obligations of agencies in relation to data breaches\n\nThis section applies in relation to a data breach of an agency if the agency knows, or reasonably suspects, that the data breach is an eligible data breach of the agency.\nThe agency must—\nimmediately, and continue to, take all reasonable steps to—\ncontain the data breach; and\nmitigate the harm caused by the data breach; and\nif the agency does not know whether the data breach is an eligible data breach of the agency—assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.\nAn assessment under subsection (2) (b) must be completed within—\n30 days after the suspicion mentioned in subsection (1) was formed; or\nif the period mentioned in paragraph (a) is extended under section 49 —the extended period.\nIf, at any time, the agency becomes aware the data breach may affect another agency, the agency must give a written notice to the other agency of the data breach that includes—\na description of the data breach; and\na description of the kind of personal information the subject of the data breach, without including any personal information in the description.\nThe agency need not comply with subsections (2) (b) and (3) in relation to the data breach if—\nall of the personal information the subject of the data breach is also the subject of a data breach of 1 or more other agencies; and\nat least 1 of the other agencies has undertaken to conduct the assessment in relation to the data breach.\ns 48 sub 2023 No. 32 s 33\n(sec.48-ssec.1) This section applies in relation to a data breach of an agency if the agency knows, or reasonably suspects, that the data breach is an eligible data breach of the agency.\n(sec.48-ssec.2) The agency must— immediately, and continue to, take all reasonable steps to— contain the data breach; and mitigate the harm caused by the data breach; and if the agency does not know whether the data breach is an eligible data breach of the agency—assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.\n(sec.48-ssec.3) An assessment under subsection (2) (b) must be completed within— 30 days after the suspicion mentioned in subsection (1) was formed; or if the period mentioned in paragraph (a) is extended under section 49 —the extended period.\n(sec.48-ssec.4) If, at any time, the agency becomes aware the data breach may affect another agency, the agency must give a written notice to the other agency of the data breach that includes— a description of the data breach; and a description of the kind of personal information the subject of the data breach, without including any personal information in the description.\n(sec.48-ssec.5) The agency need not comply with subsections (2) (b) and (3) in relation to the data breach if— all of the personal information the subject of the data breach is also the subject of a data breach of 1 or more other agencies; and at least 1 of the other agencies has undertaken to conduct the assessment in relation to the data breach.\n- (a) immediately, and continue to, take all reasonable steps to— (i) contain the data breach; and (ii) mitigate the harm caused by the data breach; and\n- (i) contain the data breach; and\n- (ii) mitigate the harm caused by the data breach; and\n- (b) if the agency does not know whether the data breach is an eligible data breach of the agency—assess whether there are reasonable grounds to believe the data breach is an eligible data breach of the agency.\n- (i) contain the data breach; and\n- (ii) mitigate the harm caused by the data breach; and\n- (a) 30 days after the suspicion mentioned in subsection (1) was formed; or\n- (b) if the period mentioned in paragraph (a) is extended under section 49 —the extended period.\n- (a) a description of the data breach; and\n- (b) a description of the kind of personal information the subject of the data breach, without including any personal information in the description.\n- (a) all of the personal information the subject of the data breach is also the subject of a data breach of 1 or more other agencies; and\n- (b) at least 1 of the other agencies has undertaken to conduct the assessment in relation to the data breach.","sortOrder":58},{"sectionNumber":"sec.49","sectionType":"section","heading":"Extension of period for assessment by agency","content":"### sec.49 Extension of period for assessment by agency\n\nThis section applies if an agency required to conduct an assessment under section 48 is satisfied the assessment can not reasonably be completed within the 30 day period mentioned in section 48 (3) (a) .\nThe agency may extend the period within which the assessment must be completed by no longer than the period reasonably required for the agency to complete the assessment.\nIf the period is extended under subsection (2) , the agency must, within the 30 day period mentioned in section 48 (3) (a) —\nstart the assessment; and\ngive a written notice to the information commissioner stating—\nthat the assessment has started; and\nthe period within which the assessment must be completed has been extended under this section; and\nthe day the extended period ends.\nThe information commissioner may ask the agency to provide further information or updates about the progress of the assessment.\ns 49 sub 2023 No. 32 s 33\n(sec.49-ssec.1) This section applies if an agency required to conduct an assessment under section 48 is satisfied the assessment can not reasonably be completed within the 30 day period mentioned in section 48 (3) (a) .\n(sec.49-ssec.2) The agency may extend the period within which the assessment must be completed by no longer than the period reasonably required for the agency to complete the assessment.\n(sec.49-ssec.3) If the period is extended under subsection (2) , the agency must, within the 30 day period mentioned in section 48 (3) (a) — start the assessment; and give a written notice to the information commissioner stating— that the assessment has started; and the period within which the assessment must be completed has been extended under this section; and the day the extended period ends.\n(sec.49-ssec.4) The information commissioner may ask the agency to provide further information or updates about the progress of the assessment.\n- (a) start the assessment; and\n- (b) give a written notice to the information commissioner stating— (i) that the assessment has started; and (ii) the period within which the assessment must be completed has been extended under this section; and (iii) the day the extended period ends.\n- (i) that the assessment has started; and\n- (ii) the period within which the assessment must be completed has been extended under this section; and\n- (iii) the day the extended period ends.\n- (i) that the assessment has started; and\n- (ii) the period within which the assessment must be completed has been extended under this section; and\n- (iii) the day the extended period ends.","sortOrder":59},{"sectionNumber":"ch.3A-pt.3","sectionType":"part","heading":"Notifying eligible data breaches","content":"# Notifying eligible data breaches","sortOrder":60},{"sectionNumber":"ch.3A-pt.3-div.1","sectionType":"division","heading":"Preliminary","content":"## Preliminary","sortOrder":61},{"sectionNumber":"sec.50","sectionType":"section","heading":"Application of part","content":"### sec.50 Application of part\n\nThis part applies if an agency reasonably believes that there has been an eligible data breach of the agency.\nHowever, division 2 does not apply in relation to the agency to the extent an exemption applies to the agency under division 3 .\ns 50 amd 2009 No. 48 s 220\nsub 2023 No. 32 s 33\n(sec.50-ssec.1) This part applies if an agency reasonably believes that there has been an eligible data breach of the agency.\n(sec.50-ssec.2) However, division 2 does not apply in relation to the agency to the extent an exemption applies to the agency under division 3 .","sortOrder":62},{"sectionNumber":"ch.3A-pt.3-div.2","sectionType":"division","heading":"Notification","content":"## Notification","sortOrder":63},{"sectionNumber":"sec.51","sectionType":"section","heading":"Agency must give statement about eligible data breach to information commissioner","content":"### sec.51 Agency must give statement about eligible data breach to information commissioner\n\nThe agency must, as soon as practicable after forming the belief mentioned in section 50 —\nprepare a statement that includes the information stated in subsection (2) ; and\ngive the statement to the information commissioner.\nFor subsection (1) (a) , the statement must, to the extent it is reasonably practicable, include the following information—\nthe information that must be included in a notification given under section 53 (2) (a) to (e) , (h) and (i) ;\na description of the kind of personal information the subject of the data breach, without including any personal information in the description;\nthe agency’s recommendations about the steps individuals should take in response to the data breach;\nwhether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies;\nthe total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of each of the following—\nthe individuals whose personal information has been accessed, disclosed or lost;\naffected individuals for the data breach;\neither—\nthe total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number; or\nif section 57 is relied on, the total number of individuals who would have been notified if that section had not been relied on or, if it is not reasonably practicable to work out the total number, an estimate of the total number;\nwhether the individuals notified have been advised about how to make a privacy complaint to the agency under section 166A .\ns 51 amd 2009 No. 48 s 221\nsub 2023 No. 32 s 33\n(sec.51-ssec.1) The agency must, as soon as practicable after forming the belief mentioned in section 50 — prepare a statement that includes the information stated in subsection (2) ; and give the statement to the information commissioner.\n(sec.51-ssec.2) For subsection (1) (a) , the statement must, to the extent it is reasonably practicable, include the following information— the information that must be included in a notification given under section 53 (2) (a) to (e) , (h) and (i) ; a description of the kind of personal information the subject of the data breach, without including any personal information in the description; the agency’s recommendations about the steps individuals should take in response to the data breach; whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies; the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of each of the following— the individuals whose personal information has been accessed, disclosed or lost; affected individuals for the data breach; either— the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number; or if section 57 is relied on, the total number of individuals who would have been notified if that section had not been relied on or, if it is not reasonably practicable to work out the total number, an estimate of the total number; whether the individuals notified have been advised about how to make a privacy complaint to the agency under section 166A .\n- (a) prepare a statement that includes the information stated in subsection (2) ; and\n- (b) give the statement to the information commissioner.\n- (a) the information that must be included in a notification given under section 53 (2) (a) to (e) , (h) and (i) ;\n- (b) a description of the kind of personal information the subject of the data breach, without including any personal information in the description;\n- (c) the agency’s recommendations about the steps individuals should take in response to the data breach;\n- (d) whether the agency is reporting on behalf of other agencies affected by the same data breach and, if so, the details of the other agencies;\n- (e) the total number or, if it is not reasonably practicable to work out the total number, an estimate of the total number of each of the following— (i) the individuals whose personal information has been accessed, disclosed or lost; (ii) affected individuals for the data breach;\n- (i) the individuals whose personal information has been accessed, disclosed or lost;\n- (ii) affected individuals for the data breach;\n- (f) either— (i) the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number; or (ii) if section 57 is relied on, the total number of individuals who would have been notified if that section had not been relied on or, if it is not reasonably practicable to work out the total number, an estimate of the total number;\n- (i) the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number; or\n- (ii) if section 57 is relied on, the total number of individuals who would have been notified if that section had not been relied on or, if it is not reasonably practicable to work out the total number, an estimate of the total number;\n- (g) whether the individuals notified have been advised about how to make a privacy complaint to the agency under section 166A .\n- (i) the individuals whose personal information has been accessed, disclosed or lost;\n- (ii) affected individuals for the data breach;\n- (i) the total number of individuals notified of the data breach or, if it is not reasonably practicable to work out the total number, an estimate of the total number; or\n- (ii) if section 57 is relied on, the total number of individuals who would have been notified if that section had not been relied on or, if it is not reasonably practicable to work out the total number, an estimate of the total number;","sortOrder":64},{"sectionNumber":"sec.52","sectionType":"section","heading":"Further information to be provided","content":"### sec.52 Further information to be provided\n\nThis section applies if it is not reasonably practicable to include any information required under section 51 when the statement is given to the information commissioner under that section, including, for example, the total number of individuals mentioned in section 51 (2) (e) or (f) .\nThe agency must take all reasonable steps to provide the information to the commissioner as soon as practicable after the statement is given.\ns 52 sub 2023 No. 32 s 33\n(sec.52-ssec.1) This section applies if it is not reasonably practicable to include any information required under section 51 when the statement is given to the information commissioner under that section, including, for example, the total number of individuals mentioned in section 51 (2) (e) or (f) .\n(sec.52-ssec.2) The agency must take all reasonable steps to provide the information to the commissioner as soon as practicable after the statement is given.","sortOrder":65},{"sectionNumber":"sec.53","sectionType":"section","heading":"Agencies must notify particular individuals","content":"### sec.53 Agencies must notify particular individuals\n\nThe agency must, as soon as practicable after the belief mentioned in section 50 is formed—\nif it is reasonably practicable to notify each individual whose personal information has been accessed, disclosed or lost—take reasonable steps to notify each individual of the information mentioned in subsection (2) ; or\nif paragraph (a) does not apply and it is reasonably practicable to notify each affected individual for the data breach—take reasonable steps to notify each affected individual of the information mentioned in subsection (2) ; or\nif paragraphs (a) and (b) do not apply—publish the information mentioned in subsection (2) on an accessible agency website for a period of at least 12 months, other than information that would prejudice the agency’s functions.\nA notification under subsection (1) must, to the extent it is reasonably practicable, include the following information—\nthe name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;\nthe contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach;\nthe date the data breach occurred;\na description of the data breach, including the type of eligible data breach under section 47 ;\ninformation about how the data breach occurred;\nfor a notification under subsection (1) (a) or (b) —\na description of the personal information the subject of the data breach; and\nthe agency’s recommendations about the steps the individual should take in response to the data breach;\nfor a notification under subsection (1) (c) —\na description of the kind of personal information the subject of the data breach, without including any personal information in the description; and\nthe agency’s recommendations about the steps individuals should take in response to the data breach;\nif the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made;\nthe steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach;\ninformation about how an individual may make a privacy complaint to the agency under section 166A .\nThe agency must, as soon as practicable after a notice is published under subsection (1) (c) , provide the information commissioner with information about how to access the notice.\nThe information commissioner must, after receiving the information under subsection (3) , publish on the commissioner’s website information about how to access the notice for a period of at least 12 months.\ns 53 amd 2017 No. 17 s 119\nsub 2023 No. 32 s 33\n(sec.53-ssec.1) The agency must, as soon as practicable after the belief mentioned in section 50 is formed— if it is reasonably practicable to notify each individual whose personal information has been accessed, disclosed or lost—take reasonable steps to notify each individual of the information mentioned in subsection (2) ; or if paragraph (a) does not apply and it is reasonably practicable to notify each affected individual for the data breach—take reasonable steps to notify each affected individual of the information mentioned in subsection (2) ; or if paragraphs (a) and (b) do not apply—publish the information mentioned in subsection (2) on an accessible agency website for a period of at least 12 months, other than information that would prejudice the agency’s functions.\n(sec.53-ssec.2) A notification under subsection (1) must, to the extent it is reasonably practicable, include the following information— the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency; the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach; the date the data breach occurred; a description of the data breach, including the type of eligible data breach under section 47 ; information about how the data breach occurred; for a notification under subsection (1) (a) or (b) — a description of the personal information the subject of the data breach; and the agency’s recommendations about the steps the individual should take in response to the data breach; for a notification under subsection (1) (c) — a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and the agency’s recommendations about the steps individuals should take in response to the data breach; if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made; the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach; information about how an individual may make a privacy complaint to the agency under section 166A .\n(sec.53-ssec.3) The agency must, as soon as practicable after a notice is published under subsection (1) (c) , provide the information commissioner with information about how to access the notice.\n(sec.53-ssec.4) The information commissioner must, after receiving the information under subsection (3) , publish on the commissioner’s website information about how to access the notice for a period of at least 12 months.\n- (a) if it is reasonably practicable to notify each individual whose personal information has been accessed, disclosed or lost—take reasonable steps to notify each individual of the information mentioned in subsection (2) ; or\n- (b) if paragraph (a) does not apply and it is reasonably practicable to notify each affected individual for the data breach—take reasonable steps to notify each affected individual of the information mentioned in subsection (2) ; or\n- (c) if paragraphs (a) and (b) do not apply—publish the information mentioned in subsection (2) on an accessible agency website for a period of at least 12 months, other than information that would prejudice the agency’s functions.\n- (a) the name of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;\n- (b) the contact details of the agency or a person nominated by the agency for the individual to contact in relation to the data breach;\n- (c) the date the data breach occurred;\n- (d) a description of the data breach, including the type of eligible data breach under section 47 ;\n- (e) information about how the data breach occurred;\n- (f) for a notification under subsection (1) (a) or (b) — (i) a description of the personal information the subject of the data breach; and (ii) the agency’s recommendations about the steps the individual should take in response to the data breach;\n- (i) a description of the personal information the subject of the data breach; and\n- (ii) the agency’s recommendations about the steps the individual should take in response to the data breach;\n- (g) for a notification under subsection (1) (c) — (i) a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and (ii) the agency’s recommendations about the steps individuals should take in response to the data breach;\n- (i) a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and\n- (ii) the agency’s recommendations about the steps individuals should take in response to the data breach;\n- (h) if the data breach involved unauthorised access to or disclosure of personal information—the period during which the access or disclosure was available or made;\n- (i) the steps the agency has taken or will take to contain the data breach and mitigate the harm caused to individuals by the data breach;\n- (j) information about how an individual may make a privacy complaint to the agency under section 166A .\n- (i) a description of the personal information the subject of the data breach; and\n- (ii) the agency’s recommendations about the steps the individual should take in response to the data breach;\n- (i) a description of the kind of personal information the subject of the data breach, without including any personal information in the description; and\n- (ii) the agency’s recommendations about the steps individuals should take in response to the data breach;","sortOrder":66},{"sectionNumber":"sec.54","sectionType":"section","heading":"Particular agencies may collect, use and disclose relevant personal information for notification","content":"### sec.54 Particular agencies may collect, use and disclose relevant personal information for notification\n\nA regulation may prescribe—\nan agency (a disclosing agency ) that may, under this section, disclose relevant personal information to another agency; and\nan agency (a receiving agency ) that may, under this section, collect and use relevant personal information from a disclosing agency and disclose relevant personal information to the disclosing agency.\nA disclosing agency may disclose relevant personal information held by the agency to a receiving agency if the receiving agency is the subject of an eligible data breach.\nThe receiving agency may collect and use relevant personal information from a disclosing agency, and disclose relevant personal information to the disclosing agency, if it is reasonably necessary for the purpose of confirming—\nthe name and contact details of a notifiable individual; or\nwhether a notifiable individual is deceased.\nA disclosing agency or receiving agency is not required to comply with a QPP in relation to the disclosure, collection or use of relevant personal information under this section.\nFor subsection (2) , an eligible data breach includes—\na data breach that an agency reasonably believes is an eligible data breach; and\na suspected data breach of an agency mentioned in section 61 (1) , whether or not the information commissioner has made a recommendation under section 61 (4) .\nIf a disclosing agency may, under an Act, enter into an arrangement and charge a fee for the provision of personal information kept by the agency under that Act, the agency may do so under that Act in relation to personal information that may be disclosed under this section.\nIn this section—\nidentifier , for an individual, means an identifier other than solely the individual’s name, including, for example, a number, that is—\nassigned to the individual in relation to the individual’s personal information by an entity for the purpose of uniquely identifying that individual, whether or not it is subsequently used other than in relation to the personal information; or\nadopted, used or disclosed in relation to the individual’s personal information by an entity for the purpose of uniquely identifying the individual.\nnotifiable individual means—\nan individual mentioned in section 53 (1) (a) or (b) ; or\nan individual the information commissioner recommends should be notified under section 61 (4) .\nrelevant personal information means the following information about an individual—\nthe name of the individual;\nthe contact details of the individual;\nthe date of birth of the individual;\nan identifier for the individual;\nif the individual is deceased—the date of the individual’s death.\ns 54 sub 2023 No. 32 s 33\n(sec.54-ssec.1) A regulation may prescribe— an agency (a disclosing agency ) that may, under this section, disclose relevant personal information to another agency; and an agency (a receiving agency ) that may, under this section, collect and use relevant personal information from a disclosing agency and disclose relevant personal information to the disclosing agency.\n(sec.54-ssec.2) A disclosing agency may disclose relevant personal information held by the agency to a receiving agency if the receiving agency is the subject of an eligible data breach.\n(sec.54-ssec.3) The receiving agency may collect and use relevant personal information from a disclosing agency, and disclose relevant personal information to the disclosing agency, if it is reasonably necessary for the purpose of confirming— the name and contact details of a notifiable individual; or whether a notifiable individual is deceased.\n(sec.54-ssec.4) A disclosing agency or receiving agency is not required to comply with a QPP in relation to the disclosure, collection or use of relevant personal information under this section.\n(sec.54-ssec.5) For subsection (2) , an eligible data breach includes— a data breach that an agency reasonably believes is an eligible data breach; and a suspected data breach of an agency mentioned in section 61 (1) , whether or not the information commissioner has made a recommendation under section 61 (4) .\n(sec.54-ssec.6) If a disclosing agency may, under an Act, enter into an arrangement and charge a fee for the provision of personal information kept by the agency under that Act, the agency may do so under that Act in relation to personal information that may be disclosed under this section.\n(sec.54-ssec.7) In this section— identifier , for an individual, means an identifier other than solely the individual’s name, including, for example, a number, that is— assigned to the individual in relation to the individual’s personal information by an entity for the purpose of uniquely identifying that individual, whether or not it is subsequently used other than in relation to the personal information; or adopted, used or disclosed in relation to the individual’s personal information by an entity for the purpose of uniquely identifying the individual. notifiable individual means— an individual mentioned in section 53 (1) (a) or (b) ; or an individual the information commissioner recommends should be notified under section 61 (4) . relevant personal information means the following information about an individual— the name of the individual; the contact details of the individual; the date of birth of the individual; an identifier for the individual; if the individual is deceased—the date of the individual’s death.\n- (a) an agency (a disclosing agency ) that may, under this section, disclose relevant personal information to another agency; and\n- (b) an agency (a receiving agency ) that may, under this section, collect and use relevant personal information from a disclosing agency and disclose relevant personal information to the disclosing agency.\n- (a) the name and contact details of a notifiable individual; or\n- (b) whether a notifiable individual is deceased.\n- (a) a data breach that an agency reasonably believes is an eligible data breach; and\n- (b) a suspected data breach of an agency mentioned in section 61 (1) , whether or not the information commissioner has made a recommendation under section 61 (4) .\n- (a) assigned to the individual in relation to the individual’s personal information by an entity for the purpose of uniquely identifying that individual, whether or not it is subsequently used other than in relation to the personal information; or\n- (b) adopted, used or disclosed in relation to the individual’s personal information by an entity for the purpose of uniquely identifying the individual.\n- (a) an individual mentioned in section 53 (1) (a) or (b) ; or\n- (b) an individual the information commissioner recommends should be notified under section 61 (4) .\n- (a) the name of the individual;\n- (b) the contact details of the individual;\n- (c) the date of birth of the individual;\n- (d) an identifier for the individual;\n- (e) if the individual is deceased—the date of the individual’s death.","sortOrder":67},{"sectionNumber":"ch.3A-pt.3-div.3","sectionType":"division","heading":"Exemptions","content":"## Exemptions","sortOrder":68},{"sectionNumber":"sec.55","sectionType":"section","heading":"Exemption—investigations and proceedings","content":"### sec.55 Exemption—investigations and proceedings\n\nAn agency need not comply with division 2 to the extent complying with that division is likely to prejudice—\nan investigation that could lead to the prosecution of an offence; or\nproceedings before a court or tribunal.\ns 55 sub 2023 No. 32 s 33\n- (a) an investigation that could lead to the prosecution of an offence; or\n- (b) proceedings before a court or tribunal.","sortOrder":69},{"sectionNumber":"sec.56","sectionType":"section","heading":"Exemption—eligible data breach of more than 1 agency","content":"### sec.56 Exemption—eligible data breach of more than 1 agency\n\nThis section applies if—\nan agency is not required to comply with requirements about assessing a data breach under section 48 (2) (b) and (3) because section 48 (5) applies to the agency; and\nanother agency is required to comply with division 2 in relation to the data breach.\nThe agency need not comply with division 2 in relation to the data breach.\ns 56 sub 2023 No. 32 s 33\n(sec.56-ssec.1) This section applies if— an agency is not required to comply with requirements about assessing a data breach under section 48 (2) (b) and (3) because section 48 (5) applies to the agency; and another agency is required to comply with division 2 in relation to the data breach.\n(sec.56-ssec.2) The agency need not comply with division 2 in relation to the data breach.\n- (a) an agency is not required to comply with requirements about assessing a data breach under section 48 (2) (b) and (3) because section 48 (5) applies to the agency; and\n- (b) another agency is required to comply with division 2 in relation to the data breach.","sortOrder":70},{"sectionNumber":"sec.57","sectionType":"section","heading":"Exemption—agency has taken remedial action","content":"### sec.57 Exemption—agency has taken remedial action\n\nThis section applies in relation to an eligible data breach of an agency if—\nfor a data breach involving unauthorised access to, or disclosure of, personal information—\nthe agency takes action to mitigate the harm caused by the data breach; and\nthe action is taken before the access or disclosure results in serious harm to any individual; and\nas a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or\nfor a data breach involving the loss of personal information—\nthe agency takes action to mitigate the loss; and\nthe action is taken before there is unauthorised access to, or disclosure of, the personal information; and\nas a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or\nfor a data breach involving the loss of personal information—\nthe agency takes action to mitigate the loss; and\nthe action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and\nas a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.\nThe agency need not comply with section 53 in relation to the eligible data breach.\ns 57 sub 2023 No. 32 s 33\n(sec.57-ssec.1) This section applies in relation to an eligible data breach of an agency if— for a data breach involving unauthorised access to, or disclosure of, personal information— the agency takes action to mitigate the harm caused by the data breach; and the action is taken before the access or disclosure results in serious harm to any individual; and as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or for a data breach involving the loss of personal information— the agency takes action to mitigate the loss; and the action is taken before there is unauthorised access to, or disclosure of, the personal information; and as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or for a data breach involving the loss of personal information— the agency takes action to mitigate the loss; and the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.\n(sec.57-ssec.2) The agency need not comply with section 53 in relation to the eligible data breach.\n- (a) for a data breach involving unauthorised access to, or disclosure of, personal information— (i) the agency takes action to mitigate the harm caused by the data breach; and (ii) the action is taken before the access or disclosure results in serious harm to any individual; and (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or\n- (i) the agency takes action to mitigate the harm caused by the data breach; and\n- (ii) the action is taken before the access or disclosure results in serious harm to any individual; and\n- (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or\n- (b) for a data breach involving the loss of personal information— (i) the agency takes action to mitigate the loss; and (ii) the action is taken before there is unauthorised access to, or disclosure of, the personal information; and (iii) as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or\n- (i) the agency takes action to mitigate the loss; and\n- (ii) the action is taken before there is unauthorised access to, or disclosure of, the personal information; and\n- (iii) as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or\n- (c) for a data breach involving the loss of personal information— (i) the agency takes action to mitigate the loss; and (ii) the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.\n- (i) the agency takes action to mitigate the loss; and\n- (ii) the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and\n- (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.\n- (i) the agency takes action to mitigate the harm caused by the data breach; and\n- (ii) the action is taken before the access or disclosure results in serious harm to any individual; and\n- (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual; or\n- (i) the agency takes action to mitigate the loss; and\n- (ii) the action is taken before there is unauthorised access to, or disclosure of, the personal information; and\n- (iii) as a result of the action taken, there is no unauthorised access to, or disclosure of, the personal information; or\n- (i) the agency takes action to mitigate the loss; and\n- (ii) the action is taken after there is unauthorised access to, or unauthorised disclosure of, the personal information but before the access or disclosure results in serious harm to any individual; and\n- (iii) as a result of the action taken, the data breach is no longer likely to result in serious harm to any individual.","sortOrder":71},{"sectionNumber":"sec.58","sectionType":"section","heading":"Exemption—inconsistency with confidentiality provision","content":"### sec.58 Exemption—inconsistency with confidentiality provision\n\nAn agency need not comply with division 2 in relation to an eligible data breach of the agency to the extent the compliance would be inconsistent with a provision of an Act of the Commonwealth or a State that prohibits or regulates the use or disclosure of the information.\ns 58 sub 2023 No. 32 s 33","sortOrder":72},{"sectionNumber":"sec.59","sectionType":"section","heading":"Exemption—serious risk of harm to health or safety","content":"### sec.59 Exemption—serious risk of harm to health or safety\n\nAn agency need not comply with section 53 in relation to an eligible data breach to the extent compliance would create a serious risk of harm to an individual’s health or safety, having regard to, for example—\nwhether the harm caused by complying with division 2 is greater than the harm of not complying with that division; and\nthe currency of the information relied on.\nIf an agency relies on this section, the agency must give a written notice to the information commissioner stating—\nthe extent to which the agency is exempt from complying with division 2 under this section; and\nwhether or not the exemption is permanent or temporary; and\nif the exemption is temporary—when the agency expects the exemption will stop applying.\ns 59 sub 2023 No. 32 s 33\n(sec.59-ssec.1) An agency need not comply with section 53 in relation to an eligible data breach to the extent compliance would create a serious risk of harm to an individual’s health or safety, having regard to, for example— whether the harm caused by complying with division 2 is greater than the harm of not complying with that division; and the currency of the information relied on.\n(sec.59-ssec.2) If an agency relies on this section, the agency must give a written notice to the information commissioner stating— the extent to which the agency is exempt from complying with division 2 under this section; and whether or not the exemption is permanent or temporary; and if the exemption is temporary—when the agency expects the exemption will stop applying.\n- (a) whether the harm caused by complying with division 2 is greater than the harm of not complying with that division; and\n- (b) the currency of the information relied on.\n- (a) the extent to which the agency is exempt from complying with division 2 under this section; and\n- (b) whether or not the exemption is permanent or temporary; and\n- (c) if the exemption is temporary—when the agency expects the exemption will stop applying.","sortOrder":73},{"sectionNumber":"sec.60","sectionType":"section","heading":"Exemption—compromise to cybersecurity","content":"### sec.60 Exemption—compromise to cybersecurity\n\nAn agency need not comply with section 53 in relation to an eligible data breach if compliance is likely to—\ncompromise or worsen the agency’s cybersecurity; or\nlead to further data breaches of the agency.\nThe exemption applies only for the period during which a matter mentioned in subsection (1) (a) or (b) continues to apply for the agency in relation to the eligible data breach.\nIf an agency relies on this section, the agency must give a written notice to the information commissioner stating—\nthe agency is exempt from complying with division 2 under this section; and\nwhen the agency expects the exemption will stop applying; and\nhow the agency will review the application of the exemption.\nThe agency must—\nreview the application of the exemption each month for the period during which the exemption is relied on; and\ngive the commissioner a summary of the review as soon as practicable after it is completed.\ns 60 sub 2023 No. 32 s 33\n(sec.60-ssec.1) An agency need not comply with section 53 in relation to an eligible data breach if compliance is likely to— compromise or worsen the agency’s cybersecurity; or lead to further data breaches of the agency.\n(sec.60-ssec.2) The exemption applies only for the period during which a matter mentioned in subsection (1) (a) or (b) continues to apply for the agency in relation to the eligible data breach.\n(sec.60-ssec.3) If an agency relies on this section, the agency must give a written notice to the information commissioner stating— the agency is exempt from complying with division 2 under this section; and when the agency expects the exemption will stop applying; and how the agency will review the application of the exemption.\n(sec.60-ssec.4) The agency must— review the application of the exemption each month for the period during which the exemption is relied on; and give the commissioner a summary of the review as soon as practicable after it is completed.\n- (a) compromise or worsen the agency’s cybersecurity; or\n- (b) lead to further data breaches of the agency.\n- (a) the agency is exempt from complying with division 2 under this section; and\n- (b) when the agency expects the exemption will stop applying; and\n- (c) how the agency will review the application of the exemption.\n- (a) review the application of the exemption each month for the period during which the exemption is relied on; and\n- (b) give the commissioner a summary of the review as soon as practicable after it is completed.","sortOrder":74},{"sectionNumber":"ch.3A-pt.4","sectionType":"part","heading":"Role of information commissioner","content":"# Role of information commissioner","sortOrder":75},{"sectionNumber":"sec.61","sectionType":"section","heading":"Information commissioner may direct agency to give statement and make recommendations","content":"### sec.61 Information commissioner may direct agency to give statement and make recommendations\n\nThis section applies if the information commissioner reasonably suspects a data breach of an agency may be an eligible data breach of the agency.\nThe information commissioner may, after complying with subsections (5) and (6) , direct the agency by written notice to prepare and give to the commissioner a statement providing the following information—\nthe name and contact details of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;\na description of the data breach, including the kind of personal information involved in the data breach;\nrecommendations about the steps an individual who may be affected by the data breach should take in response to the data breach;\nany other information related to the data breach requested by the commissioner.\nThe agency must comply with the direction.\nIf a direction is given under subsection (2) , the information commissioner may also, after complying with subsections (5) and (6) , recommend to the agency that the agency notify individuals under section 53 as if the agency reasonably believed the data breach were an eligible data breach.\nBefore giving a direction under subsection (2) or making a recommendation under subsection (4) , the information commissioner must invite the agency to make a submission to the commissioner, within a reasonable period, about the data breach.\nWithout limiting the matters the information commissioner may consider, in deciding whether to give a direction under subsection (2) or make a recommendation under subsection (4) , the information commissioner must have regard to the following—\nany advice given to the information commissioner by a law enforcement agency;\nany submission made by the agency under subsection (5) .\ns 61 sub 2023 No. 32 s 33\n(sec.61-ssec.1) This section applies if the information commissioner reasonably suspects a data breach of an agency may be an eligible data breach of the agency.\n(sec.61-ssec.2) The information commissioner may, after complying with subsections (5) and (6) , direct the agency by written notice to prepare and give to the commissioner a statement providing the following information— the name and contact details of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency; a description of the data breach, including the kind of personal information involved in the data breach; recommendations about the steps an individual who may be affected by the data breach should take in response to the data breach; any other information related to the data breach requested by the commissioner.\n(sec.61-ssec.3) The agency must comply with the direction.\n(sec.61-ssec.4) If a direction is given under subsection (2) , the information commissioner may also, after complying with subsections (5) and (6) , recommend to the agency that the agency notify individuals under section 53 as if the agency reasonably believed the data breach were an eligible data breach.\n(sec.61-ssec.5) Before giving a direction under subsection (2) or making a recommendation under subsection (4) , the information commissioner must invite the agency to make a submission to the commissioner, within a reasonable period, about the data breach.\n(sec.61-ssec.6) Without limiting the matters the information commissioner may consider, in deciding whether to give a direction under subsection (2) or make a recommendation under subsection (4) , the information commissioner must have regard to the following— any advice given to the information commissioner by a law enforcement agency; any submission made by the agency under subsection (5) .\n- (a) the name and contact details of the agency and, if more than 1 agency was affected by the data breach, the name of each other agency;\n- (b) a description of the data breach, including the kind of personal information involved in the data breach;\n- (c) recommendations about the steps an individual who may be affected by the data breach should take in response to the data breach;\n- (d) any other information related to the data breach requested by the commissioner.\n- (a) any advice given to the information commissioner by a law enforcement agency;\n- (b) any submission made by the agency under subsection (5) .","sortOrder":76},{"sectionNumber":"ch.3A-pt.5","sectionType":"part","heading":"Investigations","content":"# Investigations","sortOrder":77},{"sectionNumber":"ch.3A-pt.5-div.1","sectionType":"division","heading":"Authorised officers","content":"## Authorised officers","sortOrder":78},{"sectionNumber":"sec.62","sectionType":"section","heading":"Functions","content":"### sec.62 Functions\n\nThe functions of an authorised officer are to monitor and investigate whether an occasion has arisen for the exercise of the information commissioner’s powers that relate to an agency’s compliance with this chapter.\ns 62 sub 2023 No. 32 s 33","sortOrder":79},{"sectionNumber":"sec.63","sectionType":"section","heading":"Appointment","content":"### sec.63 Appointment\n\nThe information commissioner may, by instrument in writing, appoint an appropriately qualified person as an authorised officer.\ns 63 sub 2023 No. 32 s 33","sortOrder":80},{"sectionNumber":"sec.64","sectionType":"section","heading":"Identity cards","content":"### sec.64 Identity cards\n\nThe information commissioner must issue an identity card to each authorised officer.\nThe identity card must—\ncontain a recent photo of the authorised officer; and\ncontain a copy of the signature of the information commissioner and authorised officer; and\nidentify the person as an authorised officer under this part; and\nstate an expiry date for the card.\ns 64 sub 2023 No. 32 s 33\n(sec.64-ssec.1) The information commissioner must issue an identity card to each authorised officer.\n(sec.64-ssec.2) The identity card must— contain a recent photo of the authorised officer; and contain a copy of the signature of the information commissioner and authorised officer; and identify the person as an authorised officer under this part; and state an expiry date for the card.\n- (a) contain a recent photo of the authorised officer; and\n- (b) contain a copy of the signature of the information commissioner and authorised officer; and\n- (c) identify the person as an authorised officer under this part; and\n- (d) state an expiry date for the card.","sortOrder":81},{"sectionNumber":"sec.65","sectionType":"section","heading":"Production or display of identity card","content":"### sec.65 Production or display of identity card\n\nIn exercising a power in relation to a person in the person’s presence or by audio visual link, an authorised officer must—\nproduce the authorised officer’s identity card for the person’s inspection before exercising the power; or\nhave the identity card displayed so it is clearly visible to the person when exercising the power.\nHowever, if it is not practicable to comply with subsection (1) , the authorised officer must produce the identity card for the person’s inspection at the first reasonable opportunity.\ns 65 sub 2023 No. 32 s 33\n(sec.65-ssec.1) In exercising a power in relation to a person in the person’s presence or by audio visual link, an authorised officer must— produce the authorised officer’s identity card for the person’s inspection before exercising the power; or have the identity card displayed so it is clearly visible to the person when exercising the power.\n(sec.65-ssec.2) However, if it is not practicable to comply with subsection (1) , the authorised officer must produce the identity card for the person’s inspection at the first reasonable opportunity.\n- (a) produce the authorised officer’s identity card for the person’s inspection before exercising the power; or\n- (b) have the identity card displayed so it is clearly visible to the person when exercising the power.","sortOrder":82},{"sectionNumber":"sec.66","sectionType":"section","heading":"Return of identity card","content":"### sec.66 Return of identity card\n\nIf the office of a person as an authorised officer ends, the person must return the person’s identity card to the information commissioner within 15 business days after the office ends unless the person has a reasonable excuse.\nMaximum penalty—10 penalty units.\ns 66 sub 2023 No. 32 s 33","sortOrder":83},{"sectionNumber":"ch.3A-pt.5-div.2","sectionType":"division","heading":"Entry of places occupied by agencies","content":"## Entry of places occupied by agencies","sortOrder":84},{"sectionNumber":"sec.67","sectionType":"section","heading":"General power to enter places occupied by agency","content":"### sec.67 General power to enter places occupied by agency\n\nAn authorised officer may enter an agency’s place of business, or another place occupied by the agency, if either of the following apply—\nthe agency has consented to the commissioner’s request for entry made under section 68 ;\nthe agency has failed to consent to the commissioner’s request for entry made under section 68 , and the entry is made in compliance with the notice given for the entry under section 68 (2) .\ns 67 sub 2023 No. 32 s 33\n- (a) the agency has consented to the commissioner’s request for entry made under section 68 ;\n- (b) the agency has failed to consent to the commissioner’s request for entry made under section 68 , and the entry is made in compliance with the notice given for the entry under section 68 (2) .","sortOrder":85},{"sectionNumber":"sec.68","sectionType":"section","heading":"Information commissioner must give written notice of entry","content":"### sec.68 Information commissioner must give written notice of entry\n\nBefore an authorised officer enters a place occupied by an agency under section 67 , the information commissioner must, by written notice, ask the agency to consent to an authorised officer entering the place.\nThe notice must—\nexplain the purpose of the entry, including the powers intended to be exercised; and\npropose a reasonable date and time for the entry; and\nask for the agency’s principal officer’s written consent to the entry to be given to the information commissioner within a stated reasonable period; and\nif the place is the agency’s place of business, state that if the written consent is not given to the commissioner within the stated period, an authorised officer may enter the place on a stated reasonable date and at a stated reasonable time when the place—\nis open for carrying on the business; or\nis otherwise open for entry.\nIf the notice is given to an agency, the agency must take all reasonable steps to facilitate entry by an authorised officer on the date and time consented to or stated under subsection (2) (d) .\nMaximum penalty—100 penalty units.\nFor subsection (2) (d) , an agency’s place of business does not include a part of the place where a person resides.\ns 68 sub 2023 No. 32 s 33\n(sec.68-ssec.1) Before an authorised officer enters a place occupied by an agency under section 67 , the information commissioner must, by written notice, ask the agency to consent to an authorised officer entering the place.\n(sec.68-ssec.2) The notice must— explain the purpose of the entry, including the powers intended to be exercised; and propose a reasonable date and time for the entry; and ask for the agency’s principal officer’s written consent to the entry to be given to the information commissioner within a stated reasonable period; and if the place is the agency’s place of business, state that if the written consent is not given to the commissioner within the stated period, an authorised officer may enter the place on a stated reasonable date and at a stated reasonable time when the place— is open for carrying on the business; or is otherwise open for entry.\n(sec.68-ssec.3) If the notice is given to an agency, the agency must take all reasonable steps to facilitate entry by an authorised officer on the date and time consented to or stated under subsection (2) (d) . Maximum penalty—100 penalty units.\n(sec.68-ssec.4) For subsection (2) (d) , an agency’s place of business does not include a part of the place where a person resides.\n- (a) explain the purpose of the entry, including the powers intended to be exercised; and\n- (b) propose a reasonable date and time for the entry; and\n- (c) ask for the agency’s principal officer’s written consent to the entry to be given to the information commissioner within a stated reasonable period; and\n- (d) if the place is the agency’s place of business, state that if the written consent is not given to the commissioner within the stated period, an authorised officer may enter the place on a stated reasonable date and at a stated reasonable time when the place— (a) is open for carrying on the business; or (b) is otherwise open for entry.\n- (a) is open for carrying on the business; or\n- (b) is otherwise open for entry.\n- (a) is open for carrying on the business; or\n- (b) is otherwise open for entry.","sortOrder":86},{"sectionNumber":"ch.3A-pt.5-div.3","sectionType":"division","heading":"Powers of authorised officers","content":"## Powers of authorised officers","sortOrder":87},{"sectionNumber":"sec.69","sectionType":"section","heading":"General powers","content":"### sec.69 General powers\n\nIf an authorised officer enters a place under section 67 , the authorised officer may do the following—\nrequire a person at the place who has the necessary skills or knowledge to demonstrate the data handling systems and practices of the agency that relate to the agency’s compliance with this chapter;\ninspect a document that is relevant to the systems, policies and practices of the agency that relate to the agency’s compliance with this chapter;\nremain at the place for the time necessary to achieve the purpose of the entry.\nAlso, if the agency agrees, an authorised officer may exercise a power mentioned in subsection (1) (a) or (b) by audio visual link provided by the agency.\nIn this section—\naudio visual link means facilities that enable reasonably contemporaneous and continuous audio and visual communication between persons at different places and includes videoconferencing.\ns 69 amd 2009 No. 48 s 222\nsub 2023 No. 32 s 33\n(sec.69-ssec.1) If an authorised officer enters a place under section 67 , the authorised officer may do the following— require a person at the place who has the necessary skills or knowledge to demonstrate the data handling systems and practices of the agency that relate to the agency’s compliance with this chapter; inspect a document that is relevant to the systems, policies and practices of the agency that relate to the agency’s compliance with this chapter; remain at the place for the time necessary to achieve the purpose of the entry.\n(sec.69-ssec.2) Also, if the agency agrees, an authorised officer may exercise a power mentioned in subsection (1) (a) or (b) by audio visual link provided by the agency.\n(sec.69-ssec.3) In this section— audio visual link means facilities that enable reasonably contemporaneous and continuous audio and visual communication between persons at different places and includes videoconferencing.\n- (a) require a person at the place who has the necessary skills or knowledge to demonstrate the data handling systems and practices of the agency that relate to the agency’s compliance with this chapter;\n- (b) inspect a document that is relevant to the systems, policies and practices of the agency that relate to the agency’s compliance with this chapter;\n- (c) remain at the place for the time necessary to achieve the purpose of the entry.","sortOrder":88},{"sectionNumber":"sec.70","sectionType":"section","heading":"Power to require reasonable help","content":"### sec.70 Power to require reasonable help\n\nIf an authorised officer enters a place occupied by an agency under section 67 , the authorised officer may require a person at the place to give the authorised officer reasonable help to exercise a power under that section, including, for example, to demonstrate data handling systems and practices or produce a document.\nWhen making a requirement under subsection (1) , the authorised officer must give the person an offence warning for the requirement.\nIn this section—\noffence warning , for a requirement made by an authorised officer under subsection (1) , means a warning that, without a reasonable excuse, it is an offence for the person of whom the requirement is made not to comply with the requirement.\ns 70 sub 2023 No. 32 s 33\n(sec.70-ssec.1) If an authorised officer enters a place occupied by an agency under section 67 , the authorised officer may require a person at the place to give the authorised officer reasonable help to exercise a power under that section, including, for example, to demonstrate data handling systems and practices or produce a document.\n(sec.70-ssec.2) When making a requirement under subsection (1) , the authorised officer must give the person an offence warning for the requirement.\n(sec.70-ssec.3) In this section— offence warning , for a requirement made by an authorised officer under subsection (1) , means a warning that, without a reasonable excuse, it is an offence for the person of whom the requirement is made not to comply with the requirement.","sortOrder":89},{"sectionNumber":"sec.71","sectionType":"section","heading":"Offence to contravene help requirement","content":"### sec.71 Offence to contravene help requirement\n\nA person of whom a requirement is made under section 70 (1) must comply with the requirement unless the person has a reasonable excuse.\nMaximum penalty—100 penalty units.\nIt is a reasonable excuse for an individual not to comply with a requirement under section 70 (1) if complying with the requirement might—\ntend to incriminate the individual or expose the individual to a penalty; or\nresult in the disclosure of information that is the subject of legal professional privilege; or\nresult in the disclosure of confidential information in contravention of a law.\nHowever, subsection (2) does not apply if a document or information the subject of the help requirement is required to be held or kept by the individual under this Act.\nSee, however, section 74 .\ns 71 sub 2023 No. 32 s 33\n(sec.71-ssec.1) A person of whom a requirement is made under section 70 (1) must comply with the requirement unless the person has a reasonable excuse. Maximum penalty—100 penalty units.\n(sec.71-ssec.2) It is a reasonable excuse for an individual not to comply with a requirement under section 70 (1) if complying with the requirement might— tend to incriminate the individual or expose the individual to a penalty; or result in the disclosure of information that is the subject of legal professional privilege; or result in the disclosure of confidential information in contravention of a law.\n(sec.71-ssec.3) However, subsection (2) does not apply if a document or information the subject of the help requirement is required to be held or kept by the individual under this Act. See, however, section 74 .\n- (a) tend to incriminate the individual or expose the individual to a penalty; or\n- (b) result in the disclosure of information that is the subject of legal professional privilege; or\n- (c) result in the disclosure of confidential information in contravention of a law.","sortOrder":90},{"sectionNumber":"ch.3A-pt.6","sectionType":"part","heading":"Miscellaneous","content":"# Miscellaneous","sortOrder":91},{"sectionNumber":"sec.72","sectionType":"section","heading":"Agency must keep register","content":"### sec.72 Agency must keep register\n\nAn agency must keep a register of eligible data breaches of the agency.\nThe register must include the following information for each eligible data breach—\na description of the eligible data breach, including the type of data breach under section 47 ;\nif a statement is required for the eligible data breach under section 51 —the date the statement is provided;\nif further information about the eligible data breach is required to be given to the information commissioner under section 52 —each date the further information is given;\nif individuals are notified of the eligible data breach under section 53 (1) (a) or (b) —the individuals notified and the date and method used to notify the individuals;\nif the agency relied on an exemption under part 3 , division 3 —the exemption relied on;\ndetails of the steps taken by the agency to—\ncontain the eligible data breach under section 48 (2) (a) or (4) (a) ; and\nmitigate the harm caused by the eligible data breach under section 48 (4) (a) ;\ndetails of the actions taken by the agency to prevent future data breaches of a similar kind occurring.\nIf it is not practicable to include any or all of the information mentioned in subsection (2) for an eligible data breach at a particular time, the agency must record the information in the register as soon as it is practicable to do so.\ns 72 sub 2023 No. 32 s 33\n(sec.72-ssec.1) An agency must keep a register of eligible data breaches of the agency.\n(sec.72-ssec.2) The register must include the following information for each eligible data breach— a description of the eligible data breach, including the type of data breach under section 47 ; if a statement is required for the eligible data breach under section 51 —the date the statement is provided; if further information about the eligible data breach is required to be given to the information commissioner under section 52 —each date the further information is given; if individuals are notified of the eligible data breach under section 53 (1) (a) or (b) —the individuals notified and the date and method used to notify the individuals; if the agency relied on an exemption under part 3 , division 3 —the exemption relied on; details of the steps taken by the agency to— contain the eligible data breach under section 48 (2) (a) or (4) (a) ; and mitigate the harm caused by the eligible data breach under section 48 (4) (a) ; details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.\n(sec.72-ssec.3) If it is not practicable to include any or all of the information mentioned in subsection (2) for an eligible data breach at a particular time, the agency must record the information in the register as soon as it is practicable to do so.\n- (a) a description of the eligible data breach, including the type of data breach under section 47 ;\n- (b) if a statement is required for the eligible data breach under section 51 —the date the statement is provided;\n- (c) if further information about the eligible data breach is required to be given to the information commissioner under section 52 —each date the further information is given;\n- (d) if individuals are notified of the eligible data breach under section 53 (1) (a) or (b) —the individuals notified and the date and method used to notify the individuals;\n- (e) if the agency relied on an exemption under part 3 , division 3 —the exemption relied on;\n- (f) details of the steps taken by the agency to— (i) contain the eligible data breach under section 48 (2) (a) or (4) (a) ; and (ii) mitigate the harm caused by the eligible data breach under section 48 (4) (a) ;\n- (i) contain the eligible data breach under section 48 (2) (a) or (4) (a) ; and\n- (ii) mitigate the harm caused by the eligible data breach under section 48 (4) (a) ;\n- (g) details of the actions taken by the agency to prevent future data breaches of a similar kind occurring.\n- (i) contain the eligible data breach under section 48 (2) (a) or (4) (a) ; and\n- (ii) mitigate the harm caused by the eligible data breach under section 48 (4) (a) ;","sortOrder":92},{"sectionNumber":"sec.73","sectionType":"section","heading":"Agency must publish data breach policy","content":"### sec.73 Agency must publish data breach policy\n\nAn agency must prepare and publish a policy about how it will respond to a data breach, including a suspected eligible data breach, of the agency.\nThe policy must be published on an accessible agency website.\ns 73 sub 2023 No. 32 s 33\n(sec.73-ssec.1) An agency must prepare and publish a policy about how it will respond to a data breach, including a suspected eligible data breach, of the agency.\n(sec.73-ssec.2) The policy must be published on an accessible agency website.","sortOrder":93},{"sectionNumber":"sec.74","sectionType":"section","heading":"Evidential immunity for individuals complying with particular requirements","content":"### sec.74 Evidential immunity for individuals complying with particular requirements\n\nSubsection (2) applies if an individual gives information to an authorised officer under section 69 or 70 (1) .\nEvidence of the information, and other evidence directly or indirectly derived from the information, is not admissible against the individual in any proceeding to the extent it tends to incriminate the individual, or expose the individual to a penalty, in the proceeding.\nSubsection (2) does not apply to a proceeding about the false or misleading nature of the information or anything in which the false or misleading nature of the information is relevant evidence.\ns 74 sub 2023 No. 32 s 33\n(sec.74-ssec.1) Subsection (2) applies if an individual gives information to an authorised officer under section 69 or 70 (1) .\n(sec.74-ssec.2) Evidence of the information, and other evidence directly or indirectly derived from the information, is not admissible against the individual in any proceeding to the extent it tends to incriminate the individual, or expose the individual to a penalty, in the proceeding.\n(sec.74-ssec.3) Subsection (2) does not apply to a proceeding about the false or misleading nature of the information or anything in which the false or misleading nature of the information is relevant evidence.","sortOrder":94},{"sectionNumber":"sec.75","sectionType":"section","heading":null,"content":"### Section sec.75\n\ns 75 om 2023 No. 32 s 33","sortOrder":95},{"sectionNumber":"sec.76","sectionType":"section","heading":null,"content":"### Section sec.76\n\ns 76 om 2023 No. 32 s 33","sortOrder":96},{"sectionNumber":"sec.77","sectionType":"section","heading":null,"content":"### Section sec.77\n\ns 77 om 2023 No. 32 s 33","sortOrder":97},{"sectionNumber":"sec.78","sectionType":"section","heading":null,"content":"### Section sec.78\n\ns 78 om 2023 No. 32 s 33","sortOrder":98},{"sectionNumber":"sec.79","sectionType":"section","heading":null,"content":"### Section sec.79\n\ns 79 om 2023 No. 32 s 33","sortOrder":99},{"sectionNumber":"sec.80","sectionType":"section","heading":null,"content":"### Section sec.80\n\ns 80 om 2023 No. 32 s 33","sortOrder":100},{"sectionNumber":"sec.81","sectionType":"section","heading":null,"content":"### Section sec.81\n\ns 81 om 2023 No. 32 s 33","sortOrder":101},{"sectionNumber":"sec.82","sectionType":"section","heading":null,"content":"### Section sec.82\n\ns 82 om 2023 No. 32 s 33","sortOrder":102},{"sectionNumber":"sec.83","sectionType":"section","heading":null,"content":"### Section sec.83\n\ns 83 om 2023 No. 32 s 33","sortOrder":103},{"sectionNumber":"sec.84","sectionType":"section","heading":null,"content":"### Section sec.84\n\ns 84 om 2023 No. 32 s 33","sortOrder":104},{"sectionNumber":"sec.85","sectionType":"section","heading":null,"content":"### Section sec.85\n\ns 85 om 2023 No. 32 s 33","sortOrder":105},{"sectionNumber":"sec.86","sectionType":"section","heading":null,"content":"### Section sec.86\n\ns 86 om 2023 No. 32 s 33","sortOrder":106},{"sectionNumber":"sec.87","sectionType":"section","heading":null,"content":"### Section sec.87\n\ns 87 om 2023 No. 32 s 33","sortOrder":107},{"sectionNumber":"sec.88","sectionType":"section","heading":null,"content":"### Section sec.88\n\ns 88 amd 2017 No. 17 s 120\nom 2023 No. 32 s 33","sortOrder":108},{"sectionNumber":"sec.89","sectionType":"section","heading":null,"content":"### Section sec.89\n\ns 89 amd 2017 No. 17 s 121\nom 2023 No. 32 s 33","sortOrder":109},{"sectionNumber":"sec.90","sectionType":"section","heading":null,"content":"### Section sec.90\n\ns 90 amd 2017 No. 17 s 122\nom 2023 No. 32 s 33","sortOrder":110},{"sectionNumber":"sec.91","sectionType":"section","heading":null,"content":"### Section sec.91\n\ns 91 om 2023 No. 32 s 33","sortOrder":111},{"sectionNumber":"sec.92","sectionType":"section","heading":null,"content":"### Section sec.92\n\ns 92 om 2023 No. 32 s 33","sortOrder":112},{"sectionNumber":"sec.93","sectionType":"section","heading":null,"content":"### Section sec.93\n\ns 93 om 2023 No. 32 s 33","sortOrder":113},{"sectionNumber":"sec.94","sectionType":"section","heading":null,"content":"### Section sec.94\n\ns 94 amd 2009 No. 48 s 223 ; 2017 No. 17 s 123\nom 2023 No. 32 s 33","sortOrder":114},{"sectionNumber":"sec.95","sectionType":"section","heading":null,"content":"### Section sec.95\n\ns 95 amd 2017 No. 17 s 124\nom 2023 No. 32 s 33","sortOrder":115},{"sectionNumber":"sec.96","sectionType":"section","heading":null,"content":"### Section sec.96\n\ns 96 om 2023 No. 32 s 33","sortOrder":116},{"sectionNumber":"sec.97","sectionType":"section","heading":null,"content":"### Section sec.97\n\ns 97 om 2023 No. 32 s 33","sortOrder":117},{"sectionNumber":"sec.98","sectionType":"section","heading":null,"content":"### Section sec.98\n\ns 98 om 2023 No. 32 s 33","sortOrder":118},{"sectionNumber":"sec.99","sectionType":"section","heading":null,"content":"### Section sec.99\n\ns 99 om 2023 No. 32 s 33","sortOrder":119},{"sectionNumber":"sec.100","sectionType":"section","heading":null,"content":"### Section sec.100\n\ns 100 om 2023 No. 32 s 33","sortOrder":120},{"sectionNumber":"sec.101","sectionType":"section","heading":null,"content":"### Section sec.101\n\ns 101 om 2023 No. 32 s 33","sortOrder":121},{"sectionNumber":"sec.102","sectionType":"section","heading":null,"content":"### Section sec.102\n\ns 102 om 2023 No. 32 s 33","sortOrder":122},{"sectionNumber":"sec.103","sectionType":"section","heading":null,"content":"### Section sec.103\n\ns 103 om 2023 No. 32 s 33","sortOrder":123},{"sectionNumber":"sec.104","sectionType":"section","heading":null,"content":"### Section sec.104\n\ns 104 om 2023 No. 32 s 33","sortOrder":124},{"sectionNumber":"sec.105","sectionType":"section","heading":null,"content":"### Section sec.105\n\ns 105 om 2023 No. 32 s 33","sortOrder":125},{"sectionNumber":"sec.106","sectionType":"section","heading":null,"content":"### Section sec.106\n\ns 106 om 2023 No. 32 s 33","sortOrder":126},{"sectionNumber":"sec.107","sectionType":"section","heading":null,"content":"### Section sec.107\n\ns 107 om 2023 No. 32 s 33","sortOrder":127},{"sectionNumber":"sec.108","sectionType":"section","heading":null,"content":"### Section sec.108\n\ns 108 om 2023 No. 32 s 33","sortOrder":128},{"sectionNumber":"sec.109","sectionType":"section","heading":null,"content":"### Section sec.109\n\ns 109 om 2023 No. 32 s 33","sortOrder":129},{"sectionNumber":"sec.110","sectionType":"section","heading":null,"content":"### Section sec.110\n\ns 110 om 2023 No. 32 s 33","sortOrder":130},{"sectionNumber":"sec.111","sectionType":"section","heading":null,"content":"### Section sec.111\n\ns 111 om 2023 No. 32 s 33","sortOrder":131},{"sectionNumber":"sec.112","sectionType":"section","heading":null,"content":"### Section sec.112\n\ns 112 om 2023 No. 32 s 33","sortOrder":132},{"sectionNumber":"sec.113","sectionType":"section","heading":null,"content":"### Section sec.113\n\ns 113 om 2023 No. 32 s 33","sortOrder":133},{"sectionNumber":"sec.114","sectionType":"section","heading":null,"content":"### Section sec.114\n\ns 114 om 2023 No. 32 s 33","sortOrder":134},{"sectionNumber":"sec.115","sectionType":"section","heading":null,"content":"### Section sec.115\n\ns 115 amd 2017 No. 17 s 125\nom 2023 No. 32 s 33","sortOrder":135},{"sectionNumber":"sec.116","sectionType":"section","heading":null,"content":"### Section sec.116\n\ns 116 om 2023 No. 32 s 33","sortOrder":136},{"sectionNumber":"sec.117","sectionType":"section","heading":null,"content":"### Section sec.117\n\ns 117 om 2023 No. 32 s 33","sortOrder":137},{"sectionNumber":"sec.118","sectionType":"section","heading":null,"content":"### Section sec.118\n\ns 118 om 2023 No. 32 s 33","sortOrder":138},{"sectionNumber":"sec.119","sectionType":"section","heading":null,"content":"### Section sec.119\n\ns 119 om 2023 No. 32 s 33","sortOrder":139},{"sectionNumber":"sec.120","sectionType":"section","heading":null,"content":"### Section sec.120\n\ns 120 amd 2009 No. 48 s 224 (1) (amdt could not be given effect); 2009 No. 48 s 224 (2)–(3)\nom 2023 No. 32 s 33","sortOrder":140},{"sectionNumber":"sec.121","sectionType":"section","heading":null,"content":"### Section sec.121\n\ns 121 om 2023 No. 32 s 33","sortOrder":141},{"sectionNumber":"sec.122","sectionType":"section","heading":null,"content":"### Section sec.122\n\ns 122 om 2023 No. 32 s 33","sortOrder":142},{"sectionNumber":"sec.123","sectionType":"section","heading":null,"content":"### Section sec.123\n\ns 123 om 2023 No. 32 s 33","sortOrder":143},{"sectionNumber":"sec.124","sectionType":"section","heading":null,"content":"### Section sec.124\n\ns 124 om 2023 No. 32 s 33","sortOrder":144},{"sectionNumber":"sec.125","sectionType":"section","heading":null,"content":"### Section sec.125\n\ns 125 om 2023 No. 32 s 33","sortOrder":145},{"sectionNumber":"sec.126","sectionType":"section","heading":null,"content":"### Section sec.126\n\ns 126 amd 2011 No. 27 s 264 ; 2011 No. 26 s 189 sch ; 2014 No. 45 s 58 sch 1 pt 2\nom 2023 No. 32 s 33","sortOrder":146},{"sectionNumber":"sec.127","sectionType":"section","heading":null,"content":"### Section sec.127\n\ns 127 amd 2013 No. 35 s 85 ; 2017 No. 17 s 126\nom 2023 No. 32 s 33","sortOrder":147},{"sectionNumber":"sec.128","sectionType":"section","heading":null,"content":"### Section sec.128\n\ns 128 om 2023 No. 32 s 33","sortOrder":148},{"sectionNumber":"sec.129","sectionType":"section","heading":null,"content":"### Section sec.129\n\ns 129 om 2023 No. 32 s 33","sortOrder":149},{"sectionNumber":"sec.130","sectionType":"section","heading":null,"content":"### Section sec.130\n\ns 130 exp 1 December 2009 (see s 130(5))","sortOrder":150},{"sectionNumber":"sec.131","sectionType":"section","heading":null,"content":"### Section sec.131\n\ns 131 om 2023 No. 32 s 33","sortOrder":151},{"sectionNumber":"sec.132","sectionType":"section","heading":null,"content":"### Section sec.132\n\ns 132 om 2023 No. 32 s 33","sortOrder":152},{"sectionNumber":"sec.133","sectionType":"section","heading":null,"content":"### Section sec.133\n\ns 133 om 2023 No. 32 s 33","sortOrder":153},{"sectionNumber":"ch.4-pt.1","sectionType":"part","heading":"Functions of information commissioner under this Act","content":"# Functions of information commissioner under this Act","sortOrder":154},{"sectionNumber":"sec.134","sectionType":"section","heading":"Information commissioner not subject to direction","content":"### sec.134 Information commissioner not subject to direction\n\nThe information commissioner is not subject to direction by any person about—\nthe way in which the commissioner’s powers are to be exercised in the performance of a function under section 135 or 136 ; or\nthe priority to be given to investigations, reviews, audits mentioned in section 135 (1) (b) (iii) and privacy complaints under this Act.\nSubsection (1) has effect despite the Public Sector Act 2022 .\ns 134 amd 2022 No. 34 s 365 sch 3 ; 2023 No. 32 s 34\n(sec.134-ssec.1) The information commissioner is not subject to direction by any person about— the way in which the commissioner’s powers are to be exercised in the performance of a function under section 135 or 136 ; or the priority to be given to investigations, reviews, audits mentioned in section 135 (1) (b) (iii) and privacy complaints under this Act.\n(sec.134-ssec.2) Subsection (1) has effect despite the Public Sector Act 2022 .\n- (a) the way in which the commissioner’s powers are to be exercised in the performance of a function under section 135 or 136 ; or\n- (b) the priority to be given to investigations, reviews, audits mentioned in section 135 (1) (b) (iii) and privacy complaints under this Act.","sortOrder":155},{"sectionNumber":"sec.135","sectionType":"section","heading":"Performance monitoring, investigation and support functions","content":"### sec.135 Performance monitoring, investigation and support functions\n\nThe functions of the information commissioner include—\non the commissioner’s own initiative or otherwise—\nconducting—\nreviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or\nreviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and\ninvestigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and\nleading the improvement of public sector privacy administration in Queensland by taking appropriate action to—\npromote understanding of and compliance with this Act; and\nprovide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and\nmonitor and audit relevant entities’ compliance with this Act; and\ninitiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and\ncomment on any issues relating to the administration of privacy in the public sector environment; and\nwithout limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and\nprepare, or assist in the preparation of, QPP codes; and\nassist relevant entities in complying with obligations under QPP codes; and\nprepare guidelines for permitted general situations under chapter 3 , part 2 ; and\nissuing guidelines under section 138 ; and\nsupporting complainants for privacy complaints, and all relevant entities to the extent they are subject to the operation of this Act; and\nif the commissioner considers it appropriate, reporting to the Speaker on the findings of a reportable matter, including reporting any recommendations to the relevant entity the subject of the reportable matter.\nIn this section—\nreportable matter means—\na review or investigation under subsection (1) (a) ; or\nan audit under subsection (1) (b) (iii) .\ns 135 amd 2017 No. 17 s 127 ; 2023 No. 32 s 35\n(sec.135-ssec.1) The functions of the information commissioner include— on the commissioner’s own initiative or otherwise— conducting— reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and leading the improvement of public sector privacy administration in Queensland by taking appropriate action to— promote understanding of and compliance with this Act; and provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and monitor and audit relevant entities’ compliance with this Act; and initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and comment on any issues relating to the administration of privacy in the public sector environment; and without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and prepare, or assist in the preparation of, QPP codes; and assist relevant entities in complying with obligations under QPP codes; and prepare guidelines for permitted general situations under chapter 3 , part 2 ; and issuing guidelines under section 138 ; and supporting complainants for privacy complaints, and all relevant entities to the extent they are subject to the operation of this Act; and if the commissioner considers it appropriate, reporting to the Speaker on the findings of a reportable matter, including reporting any recommendations to the relevant entity the subject of the reportable matter.\n(sec.135-ssec.2) In this section— reportable matter means— a review or investigation under subsection (1) (a) ; or an audit under subsection (1) (b) (iii) .\n- (a) on the commissioner’s own initiative or otherwise— (i) conducting— (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and (ii) investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and\n- (i) conducting— (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and\n- (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or\n- (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and\n- (ii) investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and\n- (b) leading the improvement of public sector privacy administration in Queensland by taking appropriate action to— (i) promote understanding of and compliance with this Act; and (ii) provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and (iii) monitor and audit relevant entities’ compliance with this Act; and (iv) initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and (v) comment on any issues relating to the administration of privacy in the public sector environment; and (vi) without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and (vii) prepare, or assist in the preparation of, QPP codes; and (viii) assist relevant entities in complying with obligations under QPP codes; and (ix) prepare guidelines for permitted general situations under chapter 3 , part 2 ; and\n- (i) promote understanding of and compliance with this Act; and\n- (ii) provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and\n- (iii) monitor and audit relevant entities’ compliance with this Act; and\n- (iv) initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and\n- (v) comment on any issues relating to the administration of privacy in the public sector environment; and\n- (vi) without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and\n- (vii) prepare, or assist in the preparation of, QPP codes; and\n- (viii) assist relevant entities in complying with obligations under QPP codes; and\n- (ix) prepare guidelines for permitted general situations under chapter 3 , part 2 ; and\n- (c) issuing guidelines under section 138 ; and\n- (d) supporting complainants for privacy complaints, and all relevant entities to the extent they are subject to the operation of this Act; and\n- (e) if the commissioner considers it appropriate, reporting to the Speaker on the findings of a reportable matter, including reporting any recommendations to the relevant entity the subject of the reportable matter.\n- (i) conducting— (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and\n- (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or\n- (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and\n- (ii) investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and\n- (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or\n- (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and\n- (i) promote understanding of and compliance with this Act; and\n- (ii) provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and\n- (iii) monitor and audit relevant entities’ compliance with this Act; and\n- (iv) initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and\n- (v) comment on any issues relating to the administration of privacy in the public sector environment; and\n- (vi) without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and\n- (vii) prepare, or assist in the preparation of, QPP codes; and\n- (viii) assist relevant entities in complying with obligations under QPP codes; and\n- (ix) prepare guidelines for permitted general situations under chapter 3 , part 2 ; and\n- (a) a review or investigation under subsection (1) (a) ; or\n- (b) an audit under subsection (1) (b) (iii) .","sortOrder":156},{"sectionNumber":"sec.136","sectionType":"section","heading":"Decision-making functions","content":"### sec.136 Decision-making functions\n\nThe functions of the information commissioner include—\nwaiving or modifying—\nan obligation of a relevant entity to comply with the privacy principle requirements; or\nan obligation of an agency to comply with chapter 3A , part 2 or 3 or section 72 or 73 ; and\nissuing compliance notices under part 6 ; and\ndealing with privacy complaints under chapter 5 .\ns 136 amd 2023 No. 32 s 36\n- (a) waiving or modifying— (i) an obligation of a relevant entity to comply with the privacy principle requirements; or (ii) an obligation of an agency to comply with chapter 3A , part 2 or 3 or section 72 or 73 ; and\n- (i) an obligation of a relevant entity to comply with the privacy principle requirements; or\n- (ii) an obligation of an agency to comply with chapter 3A , part 2 or 3 or section 72 or 73 ; and\n- (b) issuing compliance notices under part 6 ; and\n- (c) dealing with privacy complaints under chapter 5 .\n- (i) an obligation of a relevant entity to comply with the privacy principle requirements; or\n- (ii) an obligation of an agency to comply with chapter 3A , part 2 or 3 or section 72 or 73 ; and","sortOrder":157},{"sectionNumber":"sec.137","sectionType":"section","heading":null,"content":"### Section sec.137\n\ns 137 om 2023 No. 32 s 37","sortOrder":158},{"sectionNumber":"sec.138","sectionType":"section","heading":"Power to issue guidelines","content":"### sec.138 Power to issue guidelines\n\nThe information commissioner may issue a guideline about any matter relating to the information commissioner’s functions, including, for example, guidelines about—\nthe interpretation and administration of this Act; and\nbest practice for relevant entities in relation to information privacy generally; and\nthe application of the privacy principle requirements, including the factors to be considered in determining whether the QPPs are being complied with.\nTo remove any doubt, it is declared that—\nthis section does not limit the information commissioner’s power to make guidelines under the Right to Information Act, section 132 ; and\na guideline issued under that Act may include guidelines relating to the information commissioner’s functions under this Act.\ns 138 sub 2023 No. 32 s 38\n(sec.138-ssec.1) The information commissioner may issue a guideline about any matter relating to the information commissioner’s functions, including, for example, guidelines about— the interpretation and administration of this Act; and best practice for relevant entities in relation to information privacy generally; and the application of the privacy principle requirements, including the factors to be considered in determining whether the QPPs are being complied with.\n(sec.138-ssec.2) To remove any doubt, it is declared that— this section does not limit the information commissioner’s power to make guidelines under the Right to Information Act, section 132 ; and a guideline issued under that Act may include guidelines relating to the information commissioner’s functions under this Act.\n- (a) the interpretation and administration of this Act; and\n- (b) best practice for relevant entities in relation to information privacy generally; and\n- (c) the application of the privacy principle requirements, including the factors to be considered in determining whether the QPPs are being complied with.\n- (a) this section does not limit the information commissioner’s power to make guidelines under the Right to Information Act, section 132 ; and\n- (b) a guideline issued under that Act may include guidelines relating to the information commissioner’s functions under this Act.","sortOrder":159},{"sectionNumber":"ch.4-pt.2","sectionType":"part","heading":"Staff of Office of Information Commissioner in relation to this Act","content":"# Staff of Office of Information Commissioner in relation to this Act","sortOrder":160},{"sectionNumber":"sec.139","sectionType":"section","heading":"Delegation","content":"### sec.139 Delegation\n\nThe information commissioner may delegate to a member of the staff of the OIC all or any of the commissioner’s powers under this Act.","sortOrder":161},{"sectionNumber":"sec.140","sectionType":"section","heading":"Staff subject only to direction of information commissioner","content":"### sec.140 Staff subject only to direction of information commissioner\n\nThe staff of the OIC are not subject to direction by any person, other than the information commissioner or a person authorised by the commissioner, about the performance of the commissioner’s functions under this Act.\nSubsection (1) has effect despite the Public Sector Act 2022 .\ns 140 amd 2022 No. 34 s 365 sch 3\n(sec.140-ssec.1) The staff of the OIC are not subject to direction by any person, other than the information commissioner or a person authorised by the commissioner, about the performance of the commissioner’s functions under this Act.\n(sec.140-ssec.2) Subsection (1) has effect despite the Public Sector Act 2022 .","sortOrder":162},{"sectionNumber":"ch.4-pt.3","sectionType":"part","heading":"Privacy Commissioner","content":"# Privacy Commissioner","sortOrder":163},{"sectionNumber":"sec.141","sectionType":"section","heading":"The Privacy Commissioner","content":"### sec.141 The Privacy Commissioner\n\nThere is to be a Privacy Commissioner (the privacy commissioner ).\nThe privacy commissioner is a member of the staff of the OIC.\n(sec.141-ssec.1) There is to be a Privacy Commissioner (the privacy commissioner ).\n(sec.141-ssec.2) The privacy commissioner is a member of the staff of the OIC.","sortOrder":164},{"sectionNumber":"sec.142","sectionType":"section","heading":"Role and function of privacy commissioner","content":"### sec.142 Role and function of privacy commissioner\n\nThe privacy commissioner’s role is that of a deputy to the information commissioner, with particular responsibility for matters relating to the information commissioner’s functions under this Act.\nThe privacy commissioner’s function is to perform the functions of the information commissioner under this Act to the extent the functions are delegated to the privacy commissioner by the information commissioner.\n(sec.142-ssec.1) The privacy commissioner’s role is that of a deputy to the information commissioner, with particular responsibility for matters relating to the information commissioner’s functions under this Act.\n(sec.142-ssec.2) The privacy commissioner’s function is to perform the functions of the information commissioner under this Act to the extent the functions are delegated to the privacy commissioner by the information commissioner.","sortOrder":165},{"sectionNumber":"sec.143","sectionType":"section","heading":"Privacy commissioner subject to direction of information commissioner","content":"### sec.143 Privacy commissioner subject to direction of information commissioner\n\nThe privacy commissioner is subject to the direction of the information commissioner.","sortOrder":166},{"sectionNumber":"sec.144","sectionType":"section","heading":"Appointment","content":"### sec.144 Appointment\n\nThe privacy commissioner is appointed by the Governor in Council.\nThe privacy commissioner is appointed under this Act and not under the Public Sector Act 2022 .\ns 144 amd 2022 No. 34 s 365 sch 3\n(sec.144-ssec.1) The privacy commissioner is appointed by the Governor in Council.\n(sec.144-ssec.2) The privacy commissioner is appointed under this Act and not under the Public Sector Act 2022 .","sortOrder":167},{"sectionNumber":"sec.145","sectionType":"section","heading":"Procedure before appointment","content":"### sec.145 Procedure before appointment\n\nA person may be appointed as privacy commissioner only if—\nthe Minister has placed press advertisements nationally calling for applications from suitably qualified persons to be considered for appointment; and\nthe Minister has consulted with the parliamentary committee about—\nthe process of selection for appointment; and\nthe appointment of the person as privacy commissioner.\nSubsection (1) (a) and (b) (i) does not apply to the reappointment of a person as privacy commissioner.\n(sec.145-ssec.1) A person may be appointed as privacy commissioner only if— the Minister has placed press advertisements nationally calling for applications from suitably qualified persons to be considered for appointment; and the Minister has consulted with the parliamentary committee about— the process of selection for appointment; and the appointment of the person as privacy commissioner.\n(sec.145-ssec.2) Subsection (1) (a) and (b) (i) does not apply to the reappointment of a person as privacy commissioner.\n- (a) the Minister has placed press advertisements nationally calling for applications from suitably qualified persons to be considered for appointment; and\n- (b) the Minister has consulted with the parliamentary committee about— (i) the process of selection for appointment; and (ii) the appointment of the person as privacy commissioner.\n- (i) the process of selection for appointment; and\n- (ii) the appointment of the person as privacy commissioner.\n- (i) the process of selection for appointment; and\n- (ii) the appointment of the person as privacy commissioner.","sortOrder":168},{"sectionNumber":"sec.146","sectionType":"section","heading":"Term of appointment","content":"### sec.146 Term of appointment\n\nThe privacy commissioner holds office for the term, of not more than 5 years, stated in the instrument of appointment.\nHowever, a person being reappointed as privacy commissioner can not be reappointed for a term that would result in the person holding office as privacy commissioner for more than 10 years continuously.\n(sec.146-ssec.1) The privacy commissioner holds office for the term, of not more than 5 years, stated in the instrument of appointment.\n(sec.146-ssec.2) However, a person being reappointed as privacy commissioner can not be reappointed for a term that would result in the person holding office as privacy commissioner for more than 10 years continuously.","sortOrder":169},{"sectionNumber":"sec.147","sectionType":"section","heading":"Remuneration and conditions","content":"### sec.147 Remuneration and conditions\n\nThe privacy commissioner must be paid remuneration and other allowances decided by the Governor in Council.\nThe remuneration paid to the privacy commissioner must not be reduced during the commissioner’s term of office without the commissioner’s written agreement.\nIn relation to matters not provided for by this Act, the privacy commissioner holds office on the terms and conditions decided by the Governor in Council.\n(sec.147-ssec.1) The privacy commissioner must be paid remuneration and other allowances decided by the Governor in Council.\n(sec.147-ssec.2) The remuneration paid to the privacy commissioner must not be reduced during the commissioner’s term of office without the commissioner’s written agreement.\n(sec.147-ssec.3) In relation to matters not provided for by this Act, the privacy commissioner holds office on the terms and conditions decided by the Governor in Council.","sortOrder":170},{"sectionNumber":"sec.148","sectionType":"section","heading":"Leave of absence","content":"### sec.148 Leave of absence\n\nThe information commissioner may approve a leave of absence for the privacy commissioner in accordance with entitlements available to the privacy commissioner under the privacy commissioner’s conditions of office.\ns 148 sub 2011 No. 45 s 234","sortOrder":171},{"sectionNumber":"sec.149","sectionType":"section","heading":"Preservation of rights if public service officer appointed","content":"### sec.149 Preservation of rights if public service officer appointed\n\nA public service officer who is appointed to the office of privacy commissioner or who is appointed to act in the office is entitled to retain all existing and accruing rights as if service in the office were a continuation of service as a public service officer.\nIf the person stops holding the office for a reason other than misconduct, the person is entitled to be employed as a public service officer.\nThe person must be employed on the classification level and remuneration that the Public Sector Commission under the Public Sector Act 2022 or another entity prescribed under a regulation considers the person would have attained in the ordinary course of progression if the person had continued in employment as a public service officer.\ns 149 amd 2022 No. 34 s 365 sch 3\n(sec.149-ssec.1) A public service officer who is appointed to the office of privacy commissioner or who is appointed to act in the office is entitled to retain all existing and accruing rights as if service in the office were a continuation of service as a public service officer.\n(sec.149-ssec.2) If the person stops holding the office for a reason other than misconduct, the person is entitled to be employed as a public service officer.\n(sec.149-ssec.3) The person must be employed on the classification level and remuneration that the Public Sector Commission under the Public Sector Act 2022 or another entity prescribed under a regulation considers the person would have attained in the ordinary course of progression if the person had continued in employment as a public service officer.","sortOrder":172},{"sectionNumber":"sec.150","sectionType":"section","heading":"Restriction on outside employment","content":"### sec.150 Restriction on outside employment\n\nThe privacy commissioner must not, without the Minister’s prior approval in each particular case—\nhold any office of profit other than that of privacy commissioner; or\nengage in any remunerative employment or undertaking outside the duties of the office.\nContravention of subsection (1) is misconduct under the Right to Information Act , section 160 (a) .\n(sec.150-ssec.1) The privacy commissioner must not, without the Minister’s prior approval in each particular case— hold any office of profit other than that of privacy commissioner; or engage in any remunerative employment or undertaking outside the duties of the office.\n(sec.150-ssec.2) Contravention of subsection (1) is misconduct under the Right to Information Act , section 160 (a) .\n- (a) hold any office of profit other than that of privacy commissioner; or\n- (b) engage in any remunerative employment or undertaking outside the duties of the office.","sortOrder":173},{"sectionNumber":"sec.151","sectionType":"section","heading":"Resignation","content":"### sec.151 Resignation\n\nThe privacy commissioner may resign by signed notice given to the Minister.\nAs soon as practicable after the notice is given to the Minister, the Minister must—\ngive the notice to the Governor for information; and\ngive a copy of the notice to—\nthe Speaker of the Assembly; and\nthe chairperson of the parliamentary committee.\nFailure to comply with subsection (2) does not affect the effectiveness of the resignation.\n(sec.151-ssec.1) The privacy commissioner may resign by signed notice given to the Minister.\n(sec.151-ssec.2) As soon as practicable after the notice is given to the Minister, the Minister must— give the notice to the Governor for information; and give a copy of the notice to— the Speaker of the Assembly; and the chairperson of the parliamentary committee.\n(sec.151-ssec.3) Failure to comply with subsection (2) does not affect the effectiveness of the resignation.\n- (a) give the notice to the Governor for information; and\n- (b) give a copy of the notice to— (i) the Speaker of the Assembly; and (ii) the chairperson of the parliamentary committee.\n- (i) the Speaker of the Assembly; and\n- (ii) the chairperson of the parliamentary committee.\n- (i) the Speaker of the Assembly; and\n- (ii) the chairperson of the parliamentary committee.","sortOrder":174},{"sectionNumber":"sec.152","sectionType":"section","heading":"Acting privacy commissioner","content":"### sec.152 Acting privacy commissioner\n\nThe Governor in Council may appoint a person to act as privacy commissioner—\nduring a vacancy in the office; or\nduring any period, or during all periods, when the privacy commissioner is absent from duty or from Australia or is, for another reason, unable to perform the duties of the office.\nThe acting privacy commissioner is appointed under this Act and not the Public Sector Act 2022 .\nThe Acts Interpretation Act 1954 , section 25 (1) (b) (iv) and (v) does not apply to the office of acting privacy commissioner.\ns 152 amd 2022 No. 34 s 365 sch 3\n(sec.152-ssec.1) The Governor in Council may appoint a person to act as privacy commissioner— during a vacancy in the office; or during any period, or during all periods, when the privacy commissioner is absent from duty or from Australia or is, for another reason, unable to perform the duties of the office.\n(sec.152-ssec.2) The acting privacy commissioner is appointed under this Act and not the Public Sector Act 2022 .\n(sec.152-ssec.3) The Acts Interpretation Act 1954 , section 25 (1) (b) (iv) and (v) does not apply to the office of acting privacy commissioner.\n- (a) during a vacancy in the office; or\n- (b) during any period, or during all periods, when the privacy commissioner is absent from duty or from Australia or is, for another reason, unable to perform the duties of the office.","sortOrder":175},{"sectionNumber":"ch.4-pt.4","sectionType":"part","heading":"Proceedings","content":"# Proceedings","sortOrder":176},{"sectionNumber":"sec.153","sectionType":"section","heading":"Third party proceedings","content":"### sec.153 Third party proceedings\n\nThe information commissioner or a member of the staff of the OIC can not be compelled—\nto produce a privacy document in third party legal proceedings; or\nto disclose privacy information in third party legal proceedings.\nIn this section—\nprivacy document means a document received, or created, by the commissioner or member in performing functions under this Act.\nprivacy information means information that the commissioner or member obtained in performing functions under this Act.\nthird party legal proceedings means a legal proceeding other than—\na legal proceeding started by the commissioner; or\na legal proceeding started against the commissioner or member arising out of the performance of functions under this Act.\n(sec.153-ssec.1) The information commissioner or a member of the staff of the OIC can not be compelled— to produce a privacy document in third party legal proceedings; or to disclose privacy information in third party legal proceedings.\n(sec.153-ssec.2) In this section— privacy document means a document received, or created, by the commissioner or member in performing functions under this Act. privacy information means information that the commissioner or member obtained in performing functions under this Act. third party legal proceedings means a legal proceeding other than— a legal proceeding started by the commissioner; or a legal proceeding started against the commissioner or member arising out of the performance of functions under this Act.\n- (a) to produce a privacy document in third party legal proceedings; or\n- (b) to disclose privacy information in third party legal proceedings.\n- (a) a legal proceeding started by the commissioner; or\n- (b) a legal proceeding started against the commissioner or member arising out of the performance of functions under this Act.","sortOrder":177},{"sectionNumber":"sec.154","sectionType":"section","heading":"Costs in proceedings","content":"### sec.154 Costs in proceedings\n\nIf a proceeding arising out of the performance of the functions of the information commissioner under this Act is started by the State, the reasonable costs of a party to the proceeding must be paid by the State.","sortOrder":178},{"sectionNumber":"sec.155","sectionType":"section","heading":"Information commissioner and privacy commissioner may appear in proceedings","content":"### sec.155 Information commissioner and privacy commissioner may appear in proceedings\n\nThe information commissioner or privacy commissioner is entitled to appear and be heard in a proceeding arising out of the performance of the functions of the commissioner.","sortOrder":179},{"sectionNumber":"sec.156","sectionType":"section","heading":"Intervention by Attorney-General","content":"### sec.156 Intervention by Attorney-General\n\nThe Attorney-General may, for the State, intervene in a proceeding before a court arising out of the performance of the functions of the information commissioner under this Act.\nIf the Attorney-General intervenes—\nthe court may make the order as to costs against the State the court considers appropriate; and\nthe Attorney-General becomes a party to the proceeding.\n(sec.156-ssec.1) The Attorney-General may, for the State, intervene in a proceeding before a court arising out of the performance of the functions of the information commissioner under this Act.\n(sec.156-ssec.2) If the Attorney-General intervenes— the court may make the order as to costs against the State the court considers appropriate; and the Attorney-General becomes a party to the proceeding.\n- (a) the court may make the order as to costs against the State the court considers appropriate; and\n- (b) the Attorney-General becomes a party to the proceeding.","sortOrder":180},{"sectionNumber":"ch.4-pt.5","sectionType":"part","heading":"Waiving or modifying particular obligations in the public interest","content":"# Waiving or modifying particular obligations in the public interest","sortOrder":181},{"sectionNumber":"sec.157","sectionType":"section","heading":"Applying for waiver or modification of particular obligations","content":"### sec.157 Applying for waiver or modification of particular obligations\n\nA relevant entity may apply to the information commissioner for an approval that waives or modifies an obligation of the entity to comply with—\nthe privacy principle requirements; or\nfor an agency— chapter 3A , part 2 or 3 or section 72 or 73 .\nThe commissioner may, by gazette notice, give an approval that waives or modifies an obligation mentioned in subsection (1) —\nif it is a temporary approval—for the period of the approval’s operation; or\notherwise—until the approval is revoked or amended.\nThe Statutory Instruments Act 1992 , sections 49 to 51 apply to a gazette notice under subsection (2) , including a gazette notice revoking or amending an approval, as if it were subordinate legislation.\nThe commissioner may give an approval under this section for an obligation only if the commissioner is satisfied that the public interest in the relevant entity’s compliance with the obligation is outweighed by the public interest in waiving or modifying the entity’s compliance with the obligation to the extent stated in the approval.\nWhile an approval is in force, the relevant entity does not contravene this Act in relation to the obligation the subject of the approval if the entity acts in accordance with the approval.\nIf the commissioner gives an approval under this section—\nthe commissioner must also ensure that a copy of the gazette notice is published on the commissioner’s website on the internet while the approval is in force; and\nif it is practicable to do so, the agency the subject of the approval must ensure that a copy of the gazette notice is published on the agency’s website on the internet.\ns 157 amd 2023 No. 32 s 40\n(sec.157-ssec.1) A relevant entity may apply to the information commissioner for an approval that waives or modifies an obligation of the entity to comply with— the privacy principle requirements; or for an agency— chapter 3A , part 2 or 3 or section 72 or 73 .\n(sec.157-ssec.2) The commissioner may, by gazette notice, give an approval that waives or modifies an obligation mentioned in subsection (1) — if it is a temporary approval—for the period of the approval’s operation; or otherwise—until the approval is revoked or amended.\n(sec.157-ssec.3) The Statutory Instruments Act 1992 , sections 49 to 51 apply to a gazette notice under subsection (2) , including a gazette notice revoking or amending an approval, as if it were subordinate legislation.\n(sec.157-ssec.4) The commissioner may give an approval under this section for an obligation only if the commissioner is satisfied that the public interest in the relevant entity’s compliance with the obligation is outweighed by the public interest in waiving or modifying the entity’s compliance with the obligation to the extent stated in the approval.\n(sec.157-ssec.5) While an approval is in force, the relevant entity does not contravene this Act in relation to the obligation the subject of the approval if the entity acts in accordance with the approval.\n(sec.157-ssec.6) If the commissioner gives an approval under this section— the commissioner must also ensure that a copy of the gazette notice is published on the commissioner’s website on the internet while the approval is in force; and if it is practicable to do so, the agency the subject of the approval must ensure that a copy of the gazette notice is published on the agency’s website on the internet.\n- (a) the privacy principle requirements; or\n- (b) for an agency— chapter 3A , part 2 or 3 or section 72 or 73 .\n- (a) if it is a temporary approval—for the period of the approval’s operation; or\n- (b) otherwise—until the approval is revoked or amended.\n- (a) the commissioner must also ensure that a copy of the gazette notice is published on the commissioner’s website on the internet while the approval is in force; and\n- (b) if it is practicable to do so, the agency the subject of the approval must ensure that a copy of the gazette notice is published on the agency’s website on the internet.","sortOrder":182},{"sectionNumber":"ch.4-pt.6","sectionType":"part","heading":"Compliance notices","content":"# Compliance notices","sortOrder":183},{"sectionNumber":"sec.158","sectionType":"section","heading":"Compliance notice","content":"### sec.158 Compliance notice\n\nThe information commissioner may give a relevant entity a notice (a compliance notice ) if the commissioner is satisfied on reasonable grounds that the entity—\nhas done an act or engaged in a practice in contravention of a relevant obligation; and\nthe act or practice—\nis a serious or flagrant contravention of the obligation; or\nis of a kind that has been done or engaged in by the agency on at least 5 separate occasions within the last 2 years.\nA compliance notice may require a relevant entity to take stated action within a stated period for the purpose of ensuring compliance with the obligation.\nIn this section—\nrelevant obligation means an obligation to comply with—\nthe privacy principle requirements; or\nfor an agency—\nchapter 3A , part 2 or 3 ; or\na direction given to the agency under section 61 (2) ; or\nsection 72 or 73 .\ns 158 amd 2023 No. 32 s 41\n(sec.158-ssec.1) The information commissioner may give a relevant entity a notice (a compliance notice ) if the commissioner is satisfied on reasonable grounds that the entity— has done an act or engaged in a practice in contravention of a relevant obligation; and the act or practice— is a serious or flagrant contravention of the obligation; or is of a kind that has been done or engaged in by the agency on at least 5 separate occasions within the last 2 years.\n(sec.158-ssec.2) A compliance notice may require a relevant entity to take stated action within a stated period for the purpose of ensuring compliance with the obligation.\n(sec.158-ssec.3) In this section— relevant obligation means an obligation to comply with— the privacy principle requirements; or for an agency— chapter 3A , part 2 or 3 ; or a direction given to the agency under section 61 (2) ; or section 72 or 73 .\n- (a) has done an act or engaged in a practice in contravention of a relevant obligation; and\n- (b) the act or practice— (i) is a serious or flagrant contravention of the obligation; or (ii) is of a kind that has been done or engaged in by the agency on at least 5 separate occasions within the last 2 years.\n- (i) is a serious or flagrant contravention of the obligation; or\n- (ii) is of a kind that has been done or engaged in by the agency on at least 5 separate occasions within the last 2 years.\n- (i) is a serious or flagrant contravention of the obligation; or\n- (ii) is of a kind that has been done or engaged in by the agency on at least 5 separate occasions within the last 2 years.\n- (a) the privacy principle requirements; or\n- (b) for an agency— (i) chapter 3A , part 2 or 3 ; or (ii) a direction given to the agency under section 61 (2) ; or (iii) section 72 or 73 .\n- (i) chapter 3A , part 2 or 3 ; or\n- (ii) a direction given to the agency under section 61 (2) ; or\n- (iii) section 72 or 73 .\n- (i) chapter 3A , part 2 or 3 ; or\n- (ii) a direction given to the agency under section 61 (2) ; or\n- (iii) section 72 or 73 .","sortOrder":184},{"sectionNumber":"sec.159","sectionType":"section","heading":"Extension of time for compliance","content":"### sec.159 Extension of time for compliance\n\nA relevant entity that is given a compliance notice may ask the information commissioner to extend the time within which it must take the action stated in the compliance notice.\nThe commissioner may amend the compliance notice by extending the period stated in the compliance notice for taking the action stated in the notice.\nBefore the commissioner extends the period—\nthe commissioner must be satisfied that it is not reasonably practicable for the relevant entity to take the action stated in the compliance notice within the time stated in the notice; and\nthe relevant entity must give the commissioner an undertaking to take the stated action within the extended period.\ns 159 amd 2023 No. 32 s 42\n(sec.159-ssec.1) A relevant entity that is given a compliance notice may ask the information commissioner to extend the time within which it must take the action stated in the compliance notice.\n(sec.159-ssec.2) The commissioner may amend the compliance notice by extending the period stated in the compliance notice for taking the action stated in the notice.\n(sec.159-ssec.3) Before the commissioner extends the period— the commissioner must be satisfied that it is not reasonably practicable for the relevant entity to take the action stated in the compliance notice within the time stated in the notice; and the relevant entity must give the commissioner an undertaking to take the stated action within the extended period.\n- (a) the commissioner must be satisfied that it is not reasonably practicable for the relevant entity to take the action stated in the compliance notice within the time stated in the notice; and\n- (b) the relevant entity must give the commissioner an undertaking to take the stated action within the extended period.","sortOrder":185},{"sectionNumber":"sec.160","sectionType":"section","heading":"Relevant entity must comply with notice","content":"### sec.160 Relevant entity must comply with notice\n\nA relevant entity that is given a compliance notice under this part must take all reasonable steps to comply with the notice.\nMaximum penalty—100 penalty units.\ns 160 amd 2023 No. 32 s 43","sortOrder":186},{"sectionNumber":"sec.161","sectionType":"section","heading":"Application to Queensland Civil and Administrative Tribunal for review of decision to give compliance notice","content":"### sec.161 Application to Queensland Civil and Administrative Tribunal for review of decision to give compliance notice\n\nA relevant entity given a compliance notice under this part may apply, as provided under the QCAT Act , to QCAT for a review of a decision of the information commissioner to give the entity the compliance notice.\nQCAT must exercise its review jurisdiction under the QCAT Act .\ns 161 amd 2023 No. 32 s 44\n(sec.161-ssec.1) A relevant entity given a compliance notice under this part may apply, as provided under the QCAT Act , to QCAT for a review of a decision of the information commissioner to give the entity the compliance notice.\n(sec.161-ssec.2) QCAT must exercise its review jurisdiction under the QCAT Act .","sortOrder":187},{"sectionNumber":"sec.162","sectionType":"section","heading":"Parties to QCAT proceeding","content":"### sec.162 Parties to QCAT proceeding\n\nThe relevant entity given a compliance notice under this part and the information commissioner are both parties to—\nan application to QCAT to review the decision to give the notice; and\nany review by QCAT of the decision.\ns 162 amd 2023 No. 32 s 45\n- (a) an application to QCAT to review the decision to give the notice; and\n- (b) any review by QCAT of the decision.","sortOrder":188},{"sectionNumber":"sec.163","sectionType":"section","heading":"How QCAT may dispose of review","content":"### sec.163 How QCAT may dispose of review\n\nIf QCAT reviews a decision of the information commissioner to give a relevant entity a compliance notice, QCAT may make any of the following orders—\nconfirm the commissioner’s decision to give the compliance notice;\nconfirm the commissioner’s decision to give a compliance notice but substitute a compliance notice that is in different terms from the compliance notice given;\nrevoke the giving of the compliance notice;\nrevoke the giving of the compliance notice and give the commissioner directions about the issuing of a replacement compliance notice.\ns 163 amd 2023 No. 32 s 46\n- (a) confirm the commissioner’s decision to give the compliance notice;\n- (b) confirm the commissioner’s decision to give a compliance notice but substitute a compliance notice that is in different terms from the compliance notice given;\n- (c) revoke the giving of the compliance notice;\n- (d) revoke the giving of the compliance notice and give the commissioner directions about the issuing of a replacement compliance notice.","sortOrder":189},{"sectionNumber":"ch.5-pt.1","sectionType":"part","heading":"Making privacy complaints","content":"# Making privacy complaints","sortOrder":190},{"sectionNumber":"sec.164","sectionType":"section","heading":"Meaning of privacy complaint","content":"### sec.164 Meaning of privacy complaint\n\nA privacy complaint is a complaint by an individual about an act done or practice engaged in by a relevant entity in relation to the individual’s personal information that may be a breach of the relevant entity’s obligation to comply with—\nthe privacy principle requirements; or\nfor an agency— chapter 3A , part 2 or 3 .\nHowever, a privacy complaint does not include a complaint in relation to the individual’s personal information to the extent the personal information is—\nin a document to which this Act does not apply; or\nif the personal information is held by a bound contracted service provider—in a document held by the provider other than for the purpose of performing its obligations under the provider’s service arrangement.\ns 164 sub 2023 No. 32 s 47\n(sec.164-ssec.1) A privacy complaint is a complaint by an individual about an act done or practice engaged in by a relevant entity in relation to the individual’s personal information that may be a breach of the relevant entity’s obligation to comply with— the privacy principle requirements; or for an agency— chapter 3A , part 2 or 3 .\n(sec.164-ssec.2) However, a privacy complaint does not include a complaint in relation to the individual’s personal information to the extent the personal information is— in a document to which this Act does not apply; or if the personal information is held by a bound contracted service provider—in a document held by the provider other than for the purpose of performing its obligations under the provider’s service arrangement.\n- (a) the privacy principle requirements; or\n- (b) for an agency— chapter 3A , part 2 or 3 .\n- (a) in a document to which this Act does not apply; or\n- (b) if the personal information is held by a bound contracted service provider—in a document held by the provider other than for the purpose of performing its obligations under the provider’s service arrangement.","sortOrder":191},{"sectionNumber":"sec.164A","sectionType":"section","heading":"Response period for privacy complaints","content":"### sec.164A Response period for privacy complaints\n\nThe response period for a privacy complaint made to a relevant entity is—\nthe period of 45 business days after the day the privacy complaint is received by the relevant entity; or\nif the relevant entity asks the complainant for a longer period under subsection (2) —the period during which, under subsection (4) , the relevant entity may continue to consider the privacy complaint, in addition to the period mentioned in paragraph (a) .\nThe relevant entity may, before the end of a response period under subsection (1) , ask the complainant for a further specified period to consider the complaint.\nA request under subsection (2) may be made more than once.\nIf the relevant entity makes a request under subsection (2) , the relevant entity may continue to consider the complaint and respond to it until—\nthe complainant refuses the request; or\nthe relevant entity receives a notice that the complainant has made a privacy complaint to the information commission; or\nthe further specified period requested under subsection (2) ends.\ns 164A ins 2023 No. 32 s 47\n(sec.164A-ssec.1) The response period for a privacy complaint made to a relevant entity is— the period of 45 business days after the day the privacy complaint is received by the relevant entity; or if the relevant entity asks the complainant for a longer period under subsection (2) —the period during which, under subsection (4) , the relevant entity may continue to consider the privacy complaint, in addition to the period mentioned in paragraph (a) .\n(sec.164A-ssec.2) The relevant entity may, before the end of a response period under subsection (1) , ask the complainant for a further specified period to consider the complaint.\n(sec.164A-ssec.3) A request under subsection (2) may be made more than once.\n(sec.164A-ssec.4) If the relevant entity makes a request under subsection (2) , the relevant entity may continue to consider the complaint and respond to it until— the complainant refuses the request; or the relevant entity receives a notice that the complainant has made a privacy complaint to the information commission; or the further specified period requested under subsection (2) ends.\n- (a) the period of 45 business days after the day the privacy complaint is received by the relevant entity; or\n- (b) if the relevant entity asks the complainant for a longer period under subsection (2) —the period during which, under subsection (4) , the relevant entity may continue to consider the privacy complaint, in addition to the period mentioned in paragraph (a) .\n- (a) the complainant refuses the request; or\n- (b) the relevant entity receives a notice that the complainant has made a privacy complaint to the information commission; or\n- (c) the further specified period requested under subsection (2) ends.","sortOrder":192},{"sectionNumber":"sec.165","sectionType":"section","heading":"Privacy complaint may be made or referred to information commissioner","content":"### sec.165 Privacy complaint may be made or referred to information commissioner\n\nAn individual whose personal information is, or at any time has been, held by a relevant entity may make a privacy complaint to the information commissioner.\nAlso, a privacy complaint may be referred to the commissioner by any of the following entities—\nthe ombudsman;\nthe health ombudsman under the Health Ombudsman Act 2013 ;\nthe human rights commissioner under the Anti-Discrimination Act 1991 ;\na person or other entity having responsibilities, under a law of another State or the Commonwealth that corresponds to this Act, that correspond to the responsibilities of the commissioner under this Act;\nany other commission or external review body that has received the privacy complaint in performing its functions under a law.\nAs soon as practicable after receiving a privacy complaint made or referred under this section, the commissioner must advise the relevant entity the subject of the complaint.\ns 165 amd 2013 No. 36 s 331 sch 1 ; 2019 No. 5 s 153\n(sec.165-ssec.1) An individual whose personal information is, or at any time has been, held by a relevant entity may make a privacy complaint to the information commissioner.\n(sec.165-ssec.2) Also, a privacy complaint may be referred to the commissioner by any of the following entities— the ombudsman; the health ombudsman under the Health Ombudsman Act 2013 ; the human rights commissioner under the Anti-Discrimination Act 1991 ; a person or other entity having responsibilities, under a law of another State or the Commonwealth that corresponds to this Act, that correspond to the responsibilities of the commissioner under this Act; any other commission or external review body that has received the privacy complaint in performing its functions under a law.\n(sec.165-ssec.3) As soon as practicable after receiving a privacy complaint made or referred under this section, the commissioner must advise the relevant entity the subject of the complaint.\n- (a) the ombudsman;\n- (b) the health ombudsman under the Health Ombudsman Act 2013 ;\n- (c) the human rights commissioner under the Anti-Discrimination Act 1991 ;\n- (d) a person or other entity having responsibilities, under a law of another State or the Commonwealth that corresponds to this Act, that correspond to the responsibilities of the commissioner under this Act;\n- (e) any other commission or external review body that has received the privacy complaint in performing its functions under a law.","sortOrder":193},{"sectionNumber":"sec.166","sectionType":"section","heading":"Requirements for privacy complaint to information commissioner","content":"### sec.166 Requirements for privacy complaint to information commissioner\n\nA privacy complaint made or referred to the information commissioner must—\nbe written; and\nstate an address of the complainant to which notices may be forwarded under this Act; and\ngive particulars of the act or practice the subject of the complaint.\nFor a privacy complaint made to the commissioner by an individual, the commissioner must give reasonable help to the complainant to put the complaint into written form.\nHowever, an individual may not make a privacy complaint to the commissioner unless—\nthe individual has first made a privacy complaint to the relevant entity under section 166A ; and\neither—\nthe individual does not consider the relevant entity’s response to the complaint to be adequate; or\nthe response period for the complaint has ended and the individual has not received a response to the complaint.\ns 166 amd 2023 No. 32 s 48\n(sec.166-ssec.1) A privacy complaint made or referred to the information commissioner must— be written; and state an address of the complainant to which notices may be forwarded under this Act; and give particulars of the act or practice the subject of the complaint.\n(sec.166-ssec.2) For a privacy complaint made to the commissioner by an individual, the commissioner must give reasonable help to the complainant to put the complaint into written form.\n(sec.166-ssec.3) However, an individual may not make a privacy complaint to the commissioner unless— the individual has first made a privacy complaint to the relevant entity under section 166A ; and either— the individual does not consider the relevant entity’s response to the complaint to be adequate; or the response period for the complaint has ended and the individual has not received a response to the complaint.\n- (a) be written; and\n- (b) state an address of the complainant to which notices may be forwarded under this Act; and\n- (c) give particulars of the act or practice the subject of the complaint.\n- (a) the individual has first made a privacy complaint to the relevant entity under section 166A ; and\n- (b) either— (i) the individual does not consider the relevant entity’s response to the complaint to be adequate; or (ii) the response period for the complaint has ended and the individual has not received a response to the complaint.\n- (i) the individual does not consider the relevant entity’s response to the complaint to be adequate; or\n- (ii) the response period for the complaint has ended and the individual has not received a response to the complaint.\n- (i) the individual does not consider the relevant entity’s response to the complaint to be adequate; or\n- (ii) the response period for the complaint has ended and the individual has not received a response to the complaint.","sortOrder":194},{"sectionNumber":"sec.166A","sectionType":"section","heading":"Requirements for privacy complaint to relevant entity","content":"### sec.166A Requirements for privacy complaint to relevant entity\n\nA privacy complaint made to a relevant entity by an individual must—\nbe in writing; and\nstate an address to which the entity may respond to the complaint; and\ngive particulars of the act or practice the subject of the complaint; and\nbe made within 12 months after the complainant becomes aware of the act or practice the subject of the complaint, or a longer period agreed by the relevant entity.\nThe relevant entity may agree to a longer period under subsection (1) (d) if the relevant entity is satisfied the extension is reasonable in the circumstances.\nThe relevant entity must give reasonable help to the individual to put the complaint in writing.\ns 166A ins 2023 No. 32 s 49\n(sec.166A-ssec.1) A privacy complaint made to a relevant entity by an individual must— be in writing; and state an address to which the entity may respond to the complaint; and give particulars of the act or practice the subject of the complaint; and be made within 12 months after the complainant becomes aware of the act or practice the subject of the complaint, or a longer period agreed by the relevant entity.\n(sec.166A-ssec.2) The relevant entity may agree to a longer period under subsection (1) (d) if the relevant entity is satisfied the extension is reasonable in the circumstances.\n(sec.166A-ssec.3) The relevant entity must give reasonable help to the individual to put the complaint in writing.\n- (a) be in writing; and\n- (b) state an address to which the entity may respond to the complaint; and\n- (c) give particulars of the act or practice the subject of the complaint; and\n- (d) be made within 12 months after the complainant becomes aware of the act or practice the subject of the complaint, or a longer period agreed by the relevant entity.","sortOrder":195},{"sectionNumber":"ch.5-pt.2","sectionType":"part","heading":"Dealing with privacy complaints","content":"# Dealing with privacy complaints","sortOrder":196},{"sectionNumber":"sec.167","sectionType":"section","heading":"Preliminary action","content":"### sec.167 Preliminary action\n\nThe information commissioner may make preliminary inquiries of the complainant and the respondent for a privacy complaint to decide whether the commissioner is authorised to deal with the privacy complaint and whether the commissioner may decline to deal with the complaint.","sortOrder":197},{"sectionNumber":"sec.168","sectionType":"section","heading":"Information commissioner may decline to deal with or to deal further with complaint","content":"### sec.168 Information commissioner may decline to deal with or to deal further with complaint\n\nThe information commissioner may decline to deal with a privacy complaint, or a part of a privacy complaint, made or referred to the commissioner if—\nthe act or practice the subject of the complaint or part does not relate to the personal information of the complainant; or\nthe requirements under section 166 (3) for making a complaint have not been fully satisfied; or\nthe commissioner reasonably believes the complaint or part is frivolous, vexatious, misconceived or lacking in substance; or\nthere is a more appropriate course of action available under another Act to deal with the substance of the complaint or part; or\nalthough the complainant made the complaint to the respondent as required under section 166 (3) , in the circumstances, the respondent has not yet had an adequate opportunity to deal with the complaint or part; or\n12 months have elapsed since the earlier of the following days—\nthe last day of the response period for the complaint;\nthe day the relevant entity responds to the complaint or part.\nThe commissioner may decline to continue dealing with a privacy complaint, or a part of a privacy complaint, made or referred to the commissioner if—\nthe complainant does not comply with a reasonable request made by the commissioner in dealing with the complaint or part; or\nthe commissioner is satisfied on reasonable grounds that the complainant, without a reasonable excuse, has not cooperated in the commissioner’s dealing with the complaint or part; or\nthe commissioner considers the address the complainant stated in making the privacy complaint is no longer the address at which the complainant can be contacted, and the complainant has not, within a reasonable time, advised the commissioner of a new address to which notices may be sent under this Act.\ns 168 amd 2023 No. 32 s 50\n(sec.168-ssec.1) The information commissioner may decline to deal with a privacy complaint, or a part of a privacy complaint, made or referred to the commissioner if— the act or practice the subject of the complaint or part does not relate to the personal information of the complainant; or the requirements under section 166 (3) for making a complaint have not been fully satisfied; or the commissioner reasonably believes the complaint or part is frivolous, vexatious, misconceived or lacking in substance; or there is a more appropriate course of action available under another Act to deal with the substance of the complaint or part; or although the complainant made the complaint to the respondent as required under section 166 (3) , in the circumstances, the respondent has not yet had an adequate opportunity to deal with the complaint or part; or 12 months have elapsed since the earlier of the following days— the last day of the response period for the complaint; the day the relevant entity responds to the complaint or part.\n(sec.168-ssec.2) The commissioner may decline to continue dealing with a privacy complaint, or a part of a privacy complaint, made or referred to the commissioner if— the complainant does not comply with a reasonable request made by the commissioner in dealing with the complaint or part; or the commissioner is satisfied on reasonable grounds that the complainant, without a reasonable excuse, has not cooperated in the commissioner’s dealing with the complaint or part; or the commissioner considers the address the complainant stated in making the privacy complaint is no longer the address at which the complainant can be contacted, and the complainant has not, within a reasonable time, advised the commissioner of a new address to which notices may be sent under this Act.\n- (a) the act or practice the subject of the complaint or part does not relate to the personal information of the complainant; or\n- (b) the requirements under section 166 (3) for making a complaint have not been fully satisfied; or\n- (c) the commissioner reasonably believes the complaint or part is frivolous, vexatious, misconceived or lacking in substance; or\n- (d) there is a more appropriate course of action available under another Act to deal with the substance of the complaint or part; or\n- (e) although the complainant made the complaint to the respondent as required under section 166 (3) , in the circumstances, the respondent has not yet had an adequate opportunity to deal with the complaint or part; or\n- (f) 12 months have elapsed since the earlier of the following days— (i) the last day of the response period for the complaint; (ii) the day the relevant entity responds to the complaint or part.\n- (i) the last day of the response period for the complaint;\n- (ii) the day the relevant entity responds to the complaint or part.\n- (i) the last day of the response period for the complaint;\n- (ii) the day the relevant entity responds to the complaint or part.\n- (a) the complainant does not comply with a reasonable request made by the commissioner in dealing with the complaint or part; or\n- (b) the commissioner is satisfied on reasonable grounds that the complainant, without a reasonable excuse, has not cooperated in the commissioner’s dealing with the complaint or part; or\n- (c) the commissioner considers the address the complainant stated in making the privacy complaint is no longer the address at which the complainant can be contacted, and the complainant has not, within a reasonable time, advised the commissioner of a new address to which notices may be sent under this Act.","sortOrder":198},{"sectionNumber":"sec.169","sectionType":"section","heading":"Referral of privacy complaint to other entity","content":"### sec.169 Referral of privacy complaint to other entity\n\nIf the subject of a privacy complaint could be the subject of a complaint under the Ombudsman Act 2001 , the information commissioner may refer the complaint to the ombudsman.\nIf the subject of a privacy complaint could be the subject of a complaint under the Health Ombudsman Act 2013 , the commissioner may refer the complaint to the health ombudsman under that Act.\nIf the subject of a privacy complaint could be the subject of a complaint under a law of another State or the Commonwealth that corresponds to this Act, the commissioner may refer the complaint to the entity under that law having responsibility for dealing with complaints in the nature of privacy complaints.\ns 169 amd 2013 No. 36 s 331 sch 1\n(sec.169-ssec.1) If the subject of a privacy complaint could be the subject of a complaint under the Ombudsman Act 2001 , the information commissioner may refer the complaint to the ombudsman.\n(sec.169-ssec.2) If the subject of a privacy complaint could be the subject of a complaint under the Health Ombudsman Act 2013 , the commissioner may refer the complaint to the health ombudsman under that Act.\n(sec.169-ssec.3) If the subject of a privacy complaint could be the subject of a complaint under a law of another State or the Commonwealth that corresponds to this Act, the commissioner may refer the complaint to the entity under that law having responsibility for dealing with complaints in the nature of privacy complaints.","sortOrder":199},{"sectionNumber":"sec.170","sectionType":"section","heading":"Arrangement with ombudsman","content":"### sec.170 Arrangement with ombudsman\n\nThe information commissioner may enter into an arrangement with the ombudsman providing for—\nthe privacy complaints under this chapter that the commissioner should refer to the ombudsman because they—\nrelate to administrative actions; and\nwould be more appropriately dealt with by the ombudsman under the Ombudsman Act 2001 ; or\nthe complaints under the Ombudsman Act 2001 that the ombudsman should refer to the commissioner because they—\nrelate to decisions or other actions for which the commissioner has jurisdiction; and\nwould be more appropriately dealt with by the commissioner under this chapter; or\nhow to deal with an administrative action that is the subject of a complaint, preliminary inquiry or investigation under the Ombudsman Act 2001 and a privacy complaint under this chapter; or\nthe cooperative performance by the commissioner and the ombudsman of their respective functions relating to administrative actions.\nIf an arrangement entered into under subsection (1) provides for referrals as mentioned in subsection (1) (a) or (b) , the arrangement must also provide for how the referral is to be made.\nThe commissioner and the ombudsman are empowered to perform their functions in accordance with any relevant arrangement entered into under this section.\nIn this section—\nadministrative action has the meaning given by the Ombudsman Act 2001 , section 7 .\n(sec.170-ssec.1) The information commissioner may enter into an arrangement with the ombudsman providing for— the privacy complaints under this chapter that the commissioner should refer to the ombudsman because they— relate to administrative actions; and would be more appropriately dealt with by the ombudsman under the Ombudsman Act 2001 ; or the complaints under the Ombudsman Act 2001 that the ombudsman should refer to the commissioner because they— relate to decisions or other actions for which the commissioner has jurisdiction; and would be more appropriately dealt with by the commissioner under this chapter; or how to deal with an administrative action that is the subject of a complaint, preliminary inquiry or investigation under the Ombudsman Act 2001 and a privacy complaint under this chapter; or the cooperative performance by the commissioner and the ombudsman of their respective functions relating to administrative actions.\n(sec.170-ssec.2) If an arrangement entered into under subsection (1) provides for referrals as mentioned in subsection (1) (a) or (b) , the arrangement must also provide for how the referral is to be made.\n(sec.170-ssec.3) The commissioner and the ombudsman are empowered to perform their functions in accordance with any relevant arrangement entered into under this section.\n(sec.170-ssec.4) In this section— administrative action has the meaning given by the Ombudsman Act 2001 , section 7 .\n- (a) the privacy complaints under this chapter that the commissioner should refer to the ombudsman because they— (i) relate to administrative actions; and (ii) would be more appropriately dealt with by the ombudsman under the Ombudsman Act 2001 ; or\n- (i) relate to administrative actions; and\n- (ii) would be more appropriately dealt with by the ombudsman under the Ombudsman Act 2001 ; or\n- (b) the complaints under the Ombudsman Act 2001 that the ombudsman should refer to the commissioner because they— (i) relate to decisions or other actions for which the commissioner has jurisdiction; and (ii) would be more appropriately dealt with by the commissioner under this chapter; or\n- (i) relate to decisions or other actions for which the commissioner has jurisdiction; and\n- (ii) would be more appropriately dealt with by the commissioner under this chapter; or\n- (c) how to deal with an administrative action that is the subject of a complaint, preliminary inquiry or investigation under the Ombudsman Act 2001 and a privacy complaint under this chapter; or\n- (d) the cooperative performance by the commissioner and the ombudsman of their respective functions relating to administrative actions.\n- (i) relate to administrative actions; and\n- (ii) would be more appropriately dealt with by the ombudsman under the Ombudsman Act 2001 ; or\n- (i) relate to decisions or other actions for which the commissioner has jurisdiction; and\n- (ii) would be more appropriately dealt with by the commissioner under this chapter; or","sortOrder":200},{"sectionNumber":"ch.5-pt.3","sectionType":"part","heading":"Mediation of privacy complaints","content":"# Mediation of privacy complaints","sortOrder":201},{"sectionNumber":"sec.171","sectionType":"section","heading":"Attempting resolution through mediation","content":"### sec.171 Attempting resolution through mediation\n\nThe information commissioner must consider whether, in the circumstances as known to the commissioner, resolution of a privacy complaint could be achieved through mediation.\nIf it appears to the commissioner that it is reasonably likely that resolution of the privacy complaint could be achieved through mediation, the commissioner must take all reasonable steps to cause the complaint to be mediated.\n(sec.171-ssec.1) The information commissioner must consider whether, in the circumstances as known to the commissioner, resolution of a privacy complaint could be achieved through mediation.\n(sec.171-ssec.2) If it appears to the commissioner that it is reasonably likely that resolution of the privacy complaint could be achieved through mediation, the commissioner must take all reasonable steps to cause the complaint to be mediated.","sortOrder":202},{"sectionNumber":"sec.172","sectionType":"section","heading":"Certification of mediated agreement","content":"### sec.172 Certification of mediated agreement\n\nThis section applies if, after mediation of a privacy complaint, the complainant and the respondent for the complaint agree on a resolution of the complaint.\nThe complainant or the respondent may ask the information commissioner to prepare a written record of the agreement.\nA request under subsection (2) must be made within 20 business days after the agreement is reached under subsection (1) .\nIf a request is made under subsection (2) , the commissioner must take all reasonable steps to—\nprepare a written record of the agreement; and\nhave the record signed by both the complainant and the respondent; and\ncertify the agreement.\n(sec.172-ssec.1) This section applies if, after mediation of a privacy complaint, the complainant and the respondent for the complaint agree on a resolution of the complaint.\n(sec.172-ssec.2) The complainant or the respondent may ask the information commissioner to prepare a written record of the agreement.\n(sec.172-ssec.3) A request under subsection (2) must be made within 20 business days after the agreement is reached under subsection (1) .\n(sec.172-ssec.4) If a request is made under subsection (2) , the commissioner must take all reasonable steps to— prepare a written record of the agreement; and have the record signed by both the complainant and the respondent; and certify the agreement.\n- (a) prepare a written record of the agreement; and\n- (b) have the record signed by both the complainant and the respondent; and\n- (c) certify the agreement.","sortOrder":203},{"sectionNumber":"sec.173","sectionType":"section","heading":"Filing of certified agreement with Queensland Civil and Administrative Tribunal","content":"### sec.173 Filing of certified agreement with Queensland Civil and Administrative Tribunal\n\nThe complainant or respondent to a privacy complaint the subject of a certified agreement under this part may file a copy of the agreement with QCAT.\nQCAT may make orders necessary to give effect to the certified agreement if, within 5 business days after the agreement is filed with QCAT, neither the complainant nor the respondent advises QCAT that the party wishes to withdraw from the agreement.\nHowever, QCAT may make an order under subsection (2) only if it is satisfied that implementation of the order is practicable and that the order is consistent with an order QCAT may make under the QCAT Act .\nAn order under subsection (2) becomes, and may be enforced as, an order of QCAT under the QCAT Act .\n(sec.173-ssec.1) The complainant or respondent to a privacy complaint the subject of a certified agreement under this part may file a copy of the agreement with QCAT.\n(sec.173-ssec.2) QCAT may make orders necessary to give effect to the certified agreement if, within 5 business days after the agreement is filed with QCAT, neither the complainant nor the respondent advises QCAT that the party wishes to withdraw from the agreement.\n(sec.173-ssec.3) However, QCAT may make an order under subsection (2) only if it is satisfied that implementation of the order is practicable and that the order is consistent with an order QCAT may make under the QCAT Act .\n(sec.173-ssec.4) An order under subsection (2) becomes, and may be enforced as, an order of QCAT under the QCAT Act .","sortOrder":204},{"sectionNumber":"sec.173A","sectionType":"section","heading":"Confidentiality of mediation","content":"### sec.173A Confidentiality of mediation\n\nNothing said or done in the course of a mediation of a privacy complaint is admissible in any criminal, civil or administrative proceeding, unless the complainant and respondent for the complaint agree.\ns 173A ins 2023 No. 32 s 51","sortOrder":205},{"sectionNumber":"ch.5-pt.4","sectionType":"part","heading":"Referral of privacy complaints to QCAT","content":"# Referral of privacy complaints to QCAT","sortOrder":206},{"sectionNumber":"sec.174","sectionType":"section","heading":"Application of pt 4","content":"### sec.174 Application of pt 4\n\nThis part applies if a privacy complaint is made to the information commissioner under this chapter, and—\nit does not appear to the commissioner reasonably likely that resolution of the complaint could be achieved through mediation; or\nmediation of the complaint is attempted under this chapter but a certified agreement for the resolution of the complaint is not achieved.\n- (a) it does not appear to the commissioner reasonably likely that resolution of the complaint could be achieved through mediation; or\n- (b) mediation of the complaint is attempted under this chapter but a certified agreement for the resolution of the complaint is not achieved.","sortOrder":207},{"sectionNumber":"sec.175","sectionType":"section","heading":"Advice to parties","content":"### sec.175 Advice to parties\n\nThe information commissioner must give written notice to both the complainant and the respondent for the privacy complaint advising—\nthat this part applies and why it applies; and\nthat the complainant may ask the commissioner to refer the privacy complaint to QCAT under section 175A .\ns 175 amd 2023 No. 32 s 52\n- (a) that this part applies and why it applies; and\n- (b) that the complainant may ask the commissioner to refer the privacy complaint to QCAT under section 175A .","sortOrder":208},{"sectionNumber":"sec.175A","sectionType":"section","heading":"Complainant’s request for referral to Queensland Civil and Administrative Tribunal","content":"### sec.175A Complainant’s request for referral to Queensland Civil and Administrative Tribunal\n\nWithin 20 business days after the date of the notice given under section 175 , the complainant may, by written notice given to the information commissioner, ask the commissioner to refer the privacy complaint to QCAT.\nThe information commissioner may, if asked by the complainant, extend the period mentioned in subsection (1) if the commissioner is satisfied extending the period is reasonable in all the circumstances.\nIf the information commissioner extends the period under subsection (2) , the commissioner must give a written notice to the complainant and the respondent for the privacy complaint stating the new period within which the complainant may give notice under subsection (1) .\ns 175A ins 2023 No. 32 s 53\n(sec.175A-ssec.1) Within 20 business days after the date of the notice given under section 175 , the complainant may, by written notice given to the information commissioner, ask the commissioner to refer the privacy complaint to QCAT.\n(sec.175A-ssec.2) The information commissioner may, if asked by the complainant, extend the period mentioned in subsection (1) if the commissioner is satisfied extending the period is reasonable in all the circumstances.\n(sec.175A-ssec.3) If the information commissioner extends the period under subsection (2) , the commissioner must give a written notice to the complainant and the respondent for the privacy complaint stating the new period within which the complainant may give notice under subsection (1) .","sortOrder":209},{"sectionNumber":"sec.176","sectionType":"section","heading":"Referral to Queensland Civil and Administrative Tribunal","content":"### sec.176 Referral to Queensland Civil and Administrative Tribunal\n\nIf the complainant gives written notice to the information commissioner under section 175A , the commissioner must refer the privacy complaint to QCAT within 20 business days after receiving the written notice.\nQCAT must exercise its original jurisdiction under the QCAT Act to hear and decide a privacy complaint referred to it under this section.\ns 176 amd 2023 No. 32 s 54\n(sec.176-ssec.1) If the complainant gives written notice to the information commissioner under section 175A , the commissioner must refer the privacy complaint to QCAT within 20 business days after receiving the written notice.\n(sec.176-ssec.2) QCAT must exercise its original jurisdiction under the QCAT Act to hear and decide a privacy complaint referred to it under this section.","sortOrder":210},{"sectionNumber":"sec.177","sectionType":"section","heading":"Parties to QCAT proceeding","content":"### sec.177 Parties to QCAT proceeding\n\nThe complainant and respondent for a privacy complaint the information commissioner refers to QCAT are both parties to the proceeding before QCAT.\nThe complainant is taken to be the applicant for the proceeding before QCAT.\n(sec.177-ssec.1) The complainant and respondent for a privacy complaint the information commissioner refers to QCAT are both parties to the proceeding before QCAT.\n(sec.177-ssec.2) The complainant is taken to be the applicant for the proceeding before QCAT.","sortOrder":211},{"sectionNumber":"sec.178","sectionType":"section","heading":"How QCAT may dispose of complaint","content":"### sec.178 How QCAT may dispose of complaint\n\nAfter the hearing of a privacy complaint referred to QCAT, QCAT may make 1 or more of the following orders—\nan order that the breach the subject of the complaint, or part of the complaint, has been substantiated, together with, if considered appropriate, an order in accordance with 1 or more of the following—\nthat the respondent must not repeat or continue the act or practice the subject of the complaint;\nthat the respondent must engage in a stated reasonable act or practice to compensate for loss or damage suffered by the complainant;\nthat the respondent must apologise to the complainant for the act or practice the subject of the complaint;\nthat the respondent must make stated amendments of documents it holds;\nthat the respondent is liable to pay the complainant a stated amount, of not more than $100,000 to compensate the complainant for loss or damage suffered by the complainant because of the act or practice the subject of the complaint, including for any injury to the complainant’s feelings or humiliation suffered by the complainant;\nan order that the breach the subject of the complaint, or part of the complaint, has been substantiated together with an order that no further action is required to be taken;\nan order that the breach the subject of the complaint, or part of the complaint, has not been substantiated, together with an order that the complaint or part is dismissed;\nan order that the complainant be reimbursed for expenses reasonably incurred in connection with making the complaint.\ns 178 amd 2023 No. 32 s 55\n- (a) an order that the breach the subject of the complaint, or part of the complaint, has been substantiated, together with, if considered appropriate, an order in accordance with 1 or more of the following— (i) that the respondent must not repeat or continue the act or practice the subject of the complaint; (ii) that the respondent must engage in a stated reasonable act or practice to compensate for loss or damage suffered by the complainant; (iii) that the respondent must apologise to the complainant for the act or practice the subject of the complaint; (iv) that the respondent must make stated amendments of documents it holds; (v) that the respondent is liable to pay the complainant a stated amount, of not more than $100,000 to compensate the complainant for loss or damage suffered by the complainant because of the act or practice the subject of the complaint, including for any injury to the complainant’s feelings or humiliation suffered by the complainant;\n- (i) that the respondent must not repeat or continue the act or practice the subject of the complaint;\n- (ii) that the respondent must engage in a stated reasonable act or practice to compensate for loss or damage suffered by the complainant;\n- (iii) that the respondent must apologise to the complainant for the act or practice the subject of the complaint;\n- (iv) that the respondent must make stated amendments of documents it holds;\n- (v) that the respondent is liable to pay the complainant a stated amount, of not more than $100,000 to compensate the complainant for loss or damage suffered by the complainant because of the act or practice the subject of the complaint, including for any injury to the complainant’s feelings or humiliation suffered by the complainant;\n- (b) an order that the breach the subject of the complaint, or part of the complaint, has been substantiated together with an order that no further action is required to be taken;\n- (c) an order that the breach the subject of the complaint, or part of the complaint, has not been substantiated, together with an order that the complaint or part is dismissed;\n- (d) an order that the complainant be reimbursed for expenses reasonably incurred in connection with making the complaint.\n- (i) that the respondent must not repeat or continue the act or practice the subject of the complaint;\n- (ii) that the respondent must engage in a stated reasonable act or practice to compensate for loss or damage suffered by the complainant;\n- (iii) that the respondent must apologise to the complainant for the act or practice the subject of the complaint;\n- (iv) that the respondent must make stated amendments of documents it holds;\n- (v) that the respondent is liable to pay the complainant a stated amount, of not more than $100,000 to compensate the complainant for loss or damage suffered by the complainant because of the act or practice the subject of the complaint, including for any injury to the complainant’s feelings or humiliation suffered by the complainant;","sortOrder":212},{"sectionNumber":"ch.6-pt.1","sectionType":"part","heading":"Protections","content":"# Protections","sortOrder":213},{"sectionNumber":"sec.179","sectionType":"section","heading":"Access—protection against actions for defamation or breach of confidence","content":"### sec.179 Access—protection against actions for defamation or breach of confidence\n\nIf a person has been given access to a document and the access was required or permitted to be given under this Act—\nno action for defamation or breach of confidence lies against the State, an agency or an officer of an agency because of the authorising or giving of the access; and\nno action for defamation or breach of confidence in relation to any publication involved in, or resulting from, the giving of the access lies against the author of the document or another person because of the author or another person having given the document to an agency.\nThe giving of access to a document in compliance with the privacy principle requirements must not be taken for the purposes of the law relating to defamation or breach of confidence to constitute an authorisation or approval of the publication of the document or its contents by the person to whom access is given.\ns 179 amd 2023 No. 32 s 56\n(sec.179-ssec.1) If a person has been given access to a document and the access was required or permitted to be given under this Act— no action for defamation or breach of confidence lies against the State, an agency or an officer of an agency because of the authorising or giving of the access; and no action for defamation or breach of confidence in relation to any publication involved in, or resulting from, the giving of the access lies against the author of the document or another person because of the author or another person having given the document to an agency.\n(sec.179-ssec.2) The giving of access to a document in compliance with the privacy principle requirements must not be taken for the purposes of the law relating to defamation or breach of confidence to constitute an authorisation or approval of the publication of the document or its contents by the person to whom access is given.\n- (a) no action for defamation or breach of confidence lies against the State, an agency or an officer of an agency because of the authorising or giving of the access; and\n- (b) no action for defamation or breach of confidence in relation to any publication involved in, or resulting from, the giving of the access lies against the author of the document or another person because of the author or another person having given the document to an agency.","sortOrder":214},{"sectionNumber":"sec.180","sectionType":"section","heading":null,"content":"### Section sec.180\n\ns 180 om 2023 No. 32 s 57","sortOrder":215},{"sectionNumber":"sec.181","sectionType":"section","heading":"Access—protection in respect of offences","content":"### sec.181 Access—protection in respect of offences\n\nIf access has been given to a document and the access was required or permitted to be given under this Act, neither the person authorising the access nor any other person concerned in the giving of the access commits a criminal offence merely because of the authorising or giving of the access.\ns 181 sub 2023 No. 32 s 58","sortOrder":216},{"sectionNumber":"sec.182","sectionType":"section","heading":null,"content":"### Section sec.182\n\ns 182 om 2023 No. 32 s 59","sortOrder":217},{"sectionNumber":"sec.183","sectionType":"section","heading":"Protection of agency, information commissioner etc. from personal liability","content":"### sec.183 Protection of agency, information commissioner etc. from personal liability\n\nA relevant entity does not incur civil liability for an act done or omission made honestly and without negligence under this Act.\nA liability that would, other than for this section, attach to a relevant entity attaches instead to the State.\nIn this section—\nrelevant entity means any of the following—\nan agency;\nan agency’s principal officer;\na person acting under the direction of an agency or an agency’s principal officer;\nthe information commissioner;\na member of the staff of the OIC.\ns 183 amd 2023 No. 32 s 60\n(sec.183-ssec.1) A relevant entity does not incur civil liability for an act done or omission made honestly and without negligence under this Act.\n(sec.183-ssec.2) A liability that would, other than for this section, attach to a relevant entity attaches instead to the State.\n(sec.183-ssec.3) In this section— relevant entity means any of the following— an agency; an agency’s principal officer; a person acting under the direction of an agency or an agency’s principal officer; the information commissioner; a member of the staff of the OIC.\n- (a) an agency;\n- (b) an agency’s principal officer;\n- (c) a person acting under the direction of an agency or an agency’s principal officer;\n- (d) the information commissioner;\n- (e) a member of the staff of the OIC.","sortOrder":218},{"sectionNumber":"ch.6-pt.2","sectionType":"part","heading":"Offences","content":"# Offences","sortOrder":219},{"sectionNumber":"sec.184","sectionType":"section","heading":"Direction to act in particular way","content":"### sec.184 Direction to act in particular way\n\nA person must not give a direction, either orally or in writing to a person required or permitted to make a decision under this Act directing the person to make a decision the person believes is not the decision that should be made under this Act.\nMaximum penalty—100 penalty units.\nSubsection (1) does not apply to the information commissioner or a person authorised by the commissioner in relation to a direction that may be given to a member of the staff of the OIC under section 140 .\nA person must not give a direction, either orally or in writing to a person who is an employee or officer of the agency involved in a matter under this Act directing the person to act contrary to the requirements of this Act.\nMaximum penalty—100 penalty units.\n(sec.184-ssec.1) A person must not give a direction, either orally or in writing to a person required or permitted to make a decision under this Act directing the person to make a decision the person believes is not the decision that should be made under this Act. Maximum penalty—100 penalty units.\n(sec.184-ssec.2) Subsection (1) does not apply to the information commissioner or a person authorised by the commissioner in relation to a direction that may be given to a member of the staff of the OIC under section 140 .\n(sec.184-ssec.3) A person must not give a direction, either orally or in writing to a person who is an employee or officer of the agency involved in a matter under this Act directing the person to act contrary to the requirements of this Act. Maximum penalty—100 penalty units.","sortOrder":220},{"sectionNumber":"sec.185","sectionType":"section","heading":"Unlawful access","content":"### sec.185 Unlawful access\n\nA person must not, in order to gain access to a document containing another person’s personal information, knowingly deceive or mislead a person exercising powers under this Act.\nMaximum penalty—100 penalty units.\ns 185 amd 2023 No. 32 s 61","sortOrder":221},{"sectionNumber":"sec.186","sectionType":"section","heading":"False or misleading information","content":"### sec.186 False or misleading information\n\nA person must not give information to an official that the person knows is false or misleading in a material particular.\nMaximum penalty—100 penalty units.\nSubsection (1) does not apply to information given in a document, if the person when giving the document—\ninforms the official, to the best of the person’s ability, how the information is false or misleading; and\ngives the correct information to the official if the person has, or can reasonably obtain, the correct information.\nIt is enough for a complaint against a person for an offence against subsection (1) to state that the information was ‘false or misleading’, without specifying whether it was false or whether it was misleading.\nIn this section—\nofficial means—\nthe information commissioner; or\na member of the staff of the OIC; or\nan authorised officer.\ns 186 amd 2023 No. 32 s 62\n(sec.186-ssec.1) A person must not give information to an official that the person knows is false or misleading in a material particular. Maximum penalty—100 penalty units.\n(sec.186-ssec.2) Subsection (1) does not apply to information given in a document, if the person when giving the document— informs the official, to the best of the person’s ability, how the information is false or misleading; and gives the correct information to the official if the person has, or can reasonably obtain, the correct information.\n(sec.186-ssec.3) It is enough for a complaint against a person for an offence against subsection (1) to state that the information was ‘false or misleading’, without specifying whether it was false or whether it was misleading.\n(sec.186-ssec.4) In this section— official means— the information commissioner; or a member of the staff of the OIC; or an authorised officer.\n- (a) informs the official, to the best of the person’s ability, how the information is false or misleading; and\n- (b) gives the correct information to the official if the person has, or can reasonably obtain, the correct information.\n- (a) the information commissioner; or\n- (b) a member of the staff of the OIC; or\n- (c) an authorised officer.","sortOrder":222},{"sectionNumber":"sec.187","sectionType":"section","heading":"Failure to give information or attend proceedings","content":"### sec.187 Failure to give information or attend proceedings\n\nA person given notice under section 197 to give information to, or attend before, the information commissioner must not, without reasonable excuse, fail to do so.\nMaximum penalty—100 penalty units.\nIf the person is an individual and is given notice to give information, it is a reasonable excuse for the person to fail to give the information if complying with the requirement might tend to incriminate the person or expose the person to a penalty.\nSubsection (2) does not apply in relation to information that is in a document required to be kept by the person under this Act.\ns 187 sub 2023 No. 32 s 63\n(sec.187-ssec.1) A person given notice under section 197 to give information to, or attend before, the information commissioner must not, without reasonable excuse, fail to do so. Maximum penalty—100 penalty units.\n(sec.187-ssec.2) If the person is an individual and is given notice to give information, it is a reasonable excuse for the person to fail to give the information if complying with the requirement might tend to incriminate the person or expose the person to a penalty.\n(sec.187-ssec.3) Subsection (2) does not apply in relation to information that is in a document required to be kept by the person under this Act.","sortOrder":223},{"sectionNumber":"sec.188","sectionType":"section","heading":"Disclosure or taking advantage of information","content":"### sec.188 Disclosure or taking advantage of information\n\nIf a person is or has been the information commissioner or a member of the staff of the OIC, the person must not—\notherwise than for the purposes of this Act or a proceeding arising under this Act, disclose any information that the person obtained in performing functions under this Act; or\ntake advantage of that information to benefit themself or another person.\nSubsection (1) (a) does not apply if the person reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety.\nMaximum penalty—100 penalty units.\ns 188 amd 2023 No. 32 s 64\n(sec.188-ssec.1) If a person is or has been the information commissioner or a member of the staff of the OIC, the person must not— otherwise than for the purposes of this Act or a proceeding arising under this Act, disclose any information that the person obtained in performing functions under this Act; or take advantage of that information to benefit themself or another person.\n(sec.188-ssec.2) Subsection (1) (a) does not apply if the person reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety.\n- (a) otherwise than for the purposes of this Act or a proceeding arising under this Act, disclose any information that the person obtained in performing functions under this Act; or\n- (b) take advantage of that information to benefit themself or another person.","sortOrder":224},{"sectionNumber":"ch.7-pt.1","sectionType":"part","heading":null,"content":"","sortOrder":225},{"sectionNumber":"sec.189","sectionType":"section","heading":null,"content":"### Section sec.189\n\ns 189 amd 2023 No. 33 s 107 sch 5\nom 2023 No. 32 s 65","sortOrder":226},{"sectionNumber":"sec.190","sectionType":"section","heading":null,"content":"### Section sec.190\n\ns 190 om 2023 No. 32 s 65","sortOrder":227},{"sectionNumber":"sec.191","sectionType":"section","heading":null,"content":"### Section sec.191\n\ns 191 amd 2023 No. 33 s 107 sch 5\nom 2023 No. 32 s 65","sortOrder":228},{"sectionNumber":"ch.7-pt.2","sectionType":"part","heading":"Operation of this Act","content":"# Operation of this Act","sortOrder":229},{"sectionNumber":"sec.192","sectionType":"section","heading":"Review of Act","content":"### sec.192 Review of Act\n\nThe Minister must review this Act and the review must start no later than 2 years after the commencement of this section.\nThe objects of the review include—\ndeciding whether the primary object of this Act remains valid; and\ndeciding whether this Act is meeting its primary object; and\ndeciding whether the provisions of this Act are appropriate for meeting its primary object; and\ninvestigating any specific issue recommended by the Minister or the information commissioner.\nThe Minister must, as soon as practicable after finishing the review, table a report about the outcome of the review in the Assembly.\n(sec.192-ssec.1) The Minister must review this Act and the review must start no later than 2 years after the commencement of this section.\n(sec.192-ssec.2) The objects of the review include— deciding whether the primary object of this Act remains valid; and deciding whether this Act is meeting its primary object; and deciding whether the provisions of this Act are appropriate for meeting its primary object; and investigating any specific issue recommended by the Minister or the information commissioner.\n(sec.192-ssec.3) The Minister must, as soon as practicable after finishing the review, table a report about the outcome of the review in the Assembly.\n- (a) deciding whether the primary object of this Act remains valid; and\n- (b) deciding whether this Act is meeting its primary object; and\n- (c) deciding whether the provisions of this Act are appropriate for meeting its primary object; and\n- (d) investigating any specific issue recommended by the Minister or the information commissioner.","sortOrder":230},{"sectionNumber":"sec.193","sectionType":"section","heading":"Reports of information commissioner","content":"### sec.193 Reports of information commissioner\n\nThe information commissioner may make a report to the Speaker on matters relating to—\nthe findings of a reportable matter under section 135 (2) ; or\nthe performance of any other function of the commissioner.\nThe commissioner must, as soon as practicable after the end of each financial year, give the Speaker and parliamentary committee a report of the operations of the OIC under this Act during that year.\nA report under subsection (2) must include, in relation to the financial year to which it relates, details of the matters prescribed under a regulation.\nThe parliamentary committee may require the information commissioner to prepare and give the committee a report on a particular aspect of the performance of the commissioner’s functions.\nIf a report of the commissioner is given to the Speaker or the parliamentary committee, the Speaker or chairperson of the committee must cause the report to be tabled in the Assembly on the next sitting day after it is given.\nAn annual report under this section may be included as part of an annual report the commissioner is required to give under the Right to Information Act .\ns 193 amd 2023 No. 32 s 66\n(sec.193-ssec.1) The information commissioner may make a report to the Speaker on matters relating to— the findings of a reportable matter under section 135 (2) ; or the performance of any other function of the commissioner.\n(sec.193-ssec.2) The commissioner must, as soon as practicable after the end of each financial year, give the Speaker and parliamentary committee a report of the operations of the OIC under this Act during that year.\n(sec.193-ssec.3) A report under subsection (2) must include, in relation to the financial year to which it relates, details of the matters prescribed under a regulation.\n(sec.193-ssec.4) The parliamentary committee may require the information commissioner to prepare and give the committee a report on a particular aspect of the performance of the commissioner’s functions.\n(sec.193-ssec.5) If a report of the commissioner is given to the Speaker or the parliamentary committee, the Speaker or chairperson of the committee must cause the report to be tabled in the Assembly on the next sitting day after it is given.\n(sec.193-ssec.6) An annual report under this section may be included as part of an annual report the commissioner is required to give under the Right to Information Act .\n- (a) the findings of a reportable matter under section 135 (2) ; or\n- (b) the performance of any other function of the commissioner.","sortOrder":231},{"sectionNumber":"sec.194","sectionType":"section","heading":"Report to Assembly on Act’s operation","content":"### sec.194 Report to Assembly on Act’s operation\n\nThe Minister administering this Act shall, as soon as practicable after the end of each financial year, prepare a report on the operation of this Act during that year and cause a copy of the report to be tabled in the Assembly.\nA report under subsection (1) must include, in relation to the financial year to which it relates, particulars of the matters prescribed under a regulation.\nA report under this section may be included and tabled as part of a report prepared by the Minister and given and tabled under the Right to Information Act , section 185 .\ns 194 amd 2024 No. 3 s 73 sch 1\n(sec.194-ssec.1) The Minister administering this Act shall, as soon as practicable after the end of each financial year, prepare a report on the operation of this Act during that year and cause a copy of the report to be tabled in the Assembly.\n(sec.194-ssec.2) A report under subsection (1) must include, in relation to the financial year to which it relates, particulars of the matters prescribed under a regulation.\n(sec.194-ssec.3) A report under this section may be included and tabled as part of a report prepared by the Minister and given and tabled under the Right to Information Act , section 185 .","sortOrder":232},{"sectionNumber":"sec.195","sectionType":"section","heading":"Functions of parliamentary committee","content":"### sec.195 Functions of parliamentary committee\n\nThe parliamentary committee has the following functions under this Act—\nto monitor and review the performance by the information commissioner of the commissioner’s functions under this Act;\nto report to the Assembly on any matter concerning the commissioner, the commissioner’s functions or the performance of the commissioner’s functions that the committee considers should be drawn to the Assembly’s attention;\nto examine each annual report tabled in the Assembly under this Act and, if appropriate, to comment on any aspect of the report and to make recommendations;\nto report to the Assembly any changes to the functions, structures and procedures of the OIC the committee considers desirable for the more effective operation of this Act;\nthe other functions conferred on the parliamentary committee by this Act.\ns 195 amd 2011 No. 15 s 56 ; 2023 No. 32 s 68\n- (a) to monitor and review the performance by the information commissioner of the commissioner’s functions under this Act;\n- (b) to report to the Assembly on any matter concerning the commissioner, the commissioner’s functions or the performance of the commissioner’s functions that the committee considers should be drawn to the Assembly’s attention;\n- (c) to examine each annual report tabled in the Assembly under this Act and, if appropriate, to comment on any aspect of the report and to make recommendations;\n- (d) to report to the Assembly any changes to the functions, structures and procedures of the OIC the committee considers desirable for the more effective operation of this Act;\n- (e) the other functions conferred on the parliamentary committee by this Act.","sortOrder":233},{"sectionNumber":"ch.7-pt.3","sectionType":"part","heading":"Other","content":"# Other","sortOrder":234},{"sectionNumber":"sec.196","sectionType":"section","heading":"Power of person acting for another person","content":"### sec.196 Power of person acting for another person\n\nTo remove any doubt, it is declared that, in relation to a matter under this Act—\na person’s agent is able to do, in accordance with the terms of the person’s authorisation as agent, anything that the person could do; and\na child’s parent is able to do anything that the child could do if the child were an adult.\nIn this section—\nchild means an individual who is under 18 years.\nparent —\nParent, of a child, means any of the following persons—\nthe child’s mother;\nthe child’s father;\na person who exercises parental responsibility for the child, including a person who is granted guardianship of the child under the Child Protection Act 1999 or who otherwise exercises parental responsibility for the child under a decision or order of a federal court or a court of a State.\nHowever, a person standing in the place of a parent of a child on a temporary basis is not a parent of the child.\nA parent of an Aboriginal child includes a person who, under Aboriginal tradition, is regarded as a parent of the child.\nA parent of a Torres Strait Islander child includes a person who, under Island custom, is regarded as a parent of the child.\ns 196 amd 2023 No. 32 s 69\n(sec.196-ssec.1) To remove any doubt, it is declared that, in relation to a matter under this Act— a person’s agent is able to do, in accordance with the terms of the person’s authorisation as agent, anything that the person could do; and a child’s parent is able to do anything that the child could do if the child were an adult.\n(sec.196-ssec.2) In this section— child means an individual who is under 18 years. parent — Parent, of a child, means any of the following persons— the child’s mother; the child’s father; a person who exercises parental responsibility for the child, including a person who is granted guardianship of the child under the Child Protection Act 1999 or who otherwise exercises parental responsibility for the child under a decision or order of a federal court or a court of a State. However, a person standing in the place of a parent of a child on a temporary basis is not a parent of the child. A parent of an Aboriginal child includes a person who, under Aboriginal tradition, is regarded as a parent of the child. A parent of a Torres Strait Islander child includes a person who, under Island custom, is regarded as a parent of the child.\n- (a) a person’s agent is able to do, in accordance with the terms of the person’s authorisation as agent, anything that the person could do; and\n- (b) a child’s parent is able to do anything that the child could do if the child were an adult.\n- 1 Parent, of a child, means any of the following persons— (a) the child’s mother; (b) the child’s father; (c) a person who exercises parental responsibility for the child, including a person who is granted guardianship of the child under the Child Protection Act 1999 or who otherwise exercises parental responsibility for the child under a decision or order of a federal court or a court of a State.\n- (a) the child’s mother;\n- (b) the child’s father;\n- (c) a person who exercises parental responsibility for the child, including a person who is granted guardianship of the child under the Child Protection Act 1999 or who otherwise exercises parental responsibility for the child under a decision or order of a federal court or a court of a State.\n- 2 However, a person standing in the place of a parent of a child on a temporary basis is not a parent of the child.\n- 3 A parent of an Aboriginal child includes a person who, under Aboriginal tradition, is regarded as a parent of the child.\n- 4 A parent of a Torres Strait Islander child includes a person who, under Island custom, is regarded as a parent of the child.\n- (a) the child’s mother;\n- (b) the child’s father;\n- (c) a person who exercises parental responsibility for the child, including a person who is granted guardianship of the child under the Child Protection Act 1999 or who otherwise exercises parental responsibility for the child under a decision or order of a federal court or a court of a State.","sortOrder":235},{"sectionNumber":"sec.196A","sectionType":"section","heading":"Information commissioner may make preliminary inquiries","content":"### sec.196A Information commissioner may make preliminary inquiries\n\nThe information commissioner may make preliminary inquiries of any person for the purpose of determining whether to investigate an act or practice on the commissioner’s own initiative or otherwise under section 135 (1) (a) (ii) .\ns 196A ins 2023 No. 32 s 70","sortOrder":236},{"sectionNumber":"sec.197","sectionType":"section","heading":"Power of information commissioner to require information or attendance","content":"### sec.197 Power of information commissioner to require information or attendance\n\nThis section applies if the information commissioner is satisfied on reasonable grounds that a person has information relevant to—\na review into personal information handling practices under section 135 (1) (a) (i) ; or\nan investigation of an act done or practice engaged in by a relevant entity in relation to personal information under section 135 (1) (a) (ii) ; or\nan audit under section 135 (1) (b) (iii) ; or\na decision of the commissioner whether to give an agency a compliance notice under chapter 4 ; or\npreliminary inquiries the commissioner is making of the respondent for a privacy complaint under section 167 ; or\nthe mediation of a privacy complaint under chapter 5 .\nThe commissioner may give the person a written notice requiring the person to give the information to the commissioner in written form.\nThe written notice given by the commissioner must state—\nwhere the information must be given to the commissioner; and\na reasonable time at which, or a reasonable period within which, the information must be given.\nThe commissioner may also give the person a written notice requiring the person to attend before the commissioner at a reasonable time and place stated in the notice to answer questions relevant to the matter mentioned in subsection (1) .\nThe commissioner may administer an oath or affirmation to a person required under subsection (4) to attend before the commissioner and may examine the person on oath or affirmation.\nThe oath or affirmation is an oath or affirmation that the answers the person will give will be true.\ns 197 amd 2023 No. 32 s 71\n(sec.197-ssec.1) This section applies if the information commissioner is satisfied on reasonable grounds that a person has information relevant to— a review into personal information handling practices under section 135 (1) (a) (i) ; or an investigation of an act done or practice engaged in by a relevant entity in relation to personal information under section 135 (1) (a) (ii) ; or an audit under section 135 (1) (b) (iii) ; or a decision of the commissioner whether to give an agency a compliance notice under chapter 4 ; or preliminary inquiries the commissioner is making of the respondent for a privacy complaint under section 167 ; or the mediation of a privacy complaint under chapter 5 .\n(sec.197-ssec.2) The commissioner may give the person a written notice requiring the person to give the information to the commissioner in written form.\n(sec.197-ssec.3) The written notice given by the commissioner must state— where the information must be given to the commissioner; and a reasonable time at which, or a reasonable period within which, the information must be given.\n(sec.197-ssec.4) The commissioner may also give the person a written notice requiring the person to attend before the commissioner at a reasonable time and place stated in the notice to answer questions relevant to the matter mentioned in subsection (1) .\n(sec.197-ssec.5) The commissioner may administer an oath or affirmation to a person required under subsection (4) to attend before the commissioner and may examine the person on oath or affirmation.\n(sec.197-ssec.6) The oath or affirmation is an oath or affirmation that the answers the person will give will be true.\n- (a) a review into personal information handling practices under section 135 (1) (a) (i) ; or\n- (b) an investigation of an act done or practice engaged in by a relevant entity in relation to personal information under section 135 (1) (a) (ii) ; or\n- (c) an audit under section 135 (1) (b) (iii) ; or\n- (d) a decision of the commissioner whether to give an agency a compliance notice under chapter 4 ; or\n- (e) preliminary inquiries the commissioner is making of the respondent for a privacy complaint under section 167 ; or\n- (f) the mediation of a privacy complaint under chapter 5 .\n- (a) where the information must be given to the commissioner; and\n- (b) a reasonable time at which, or a reasonable period within which, the information must be given.","sortOrder":237},{"sectionNumber":"sec.198","sectionType":"section","heading":null,"content":"### Section sec.198\n\ns 198 om 2023 No. 32 s 141 s ch 1 pt 2","sortOrder":238},{"sectionNumber":"sec.199","sectionType":"section","heading":"Exchange of information","content":"### sec.199 Exchange of information\n\nThe information commissioner may enter into an arrangement (an information-sharing arrangement ) with a prescribed agency for the purpose of sharing or exchanging information—\nheld by the information commissioner or the prescribed agency; or\nto which the information commissioner or prescribed agency has access.\nAn information-sharing arrangement may relate only to information that assists—\nthe information commissioner perform the commissioner’s functions under this Act; or\nthe prescribed agency perform its functions.\nUnder an information-sharing arrangement, the information commissioner and the prescribed agency are, despite another Act or law, authorised to—\nask for and receive information held by the other party to the arrangement or to which the other party has access; and\ndisclose information to the other party.\nIn this section—\nprescribed agency —\nmeans a department or administrative unit within a department that has functions related to whole of government cybersecurity management and operations; or\na department or government entity of the State, another State or the Commonwealth that has functions related to protecting the privacy of individuals, whether or not the entity has other functions; or\nanother department, public authority or government entity of the State, another State or the Commonwealth, prescribed by regulation for this paragraph.\ns 199 sub 2023 No. 32 s 72\n(sec.199-ssec.1) The information commissioner may enter into an arrangement (an information-sharing arrangement ) with a prescribed agency for the purpose of sharing or exchanging information— held by the information commissioner or the prescribed agency; or to which the information commissioner or prescribed agency has access.\n(sec.199-ssec.2) An information-sharing arrangement may relate only to information that assists— the information commissioner perform the commissioner’s functions under this Act; or the prescribed agency perform its functions.\n(sec.199-ssec.3) Under an information-sharing arrangement, the information commissioner and the prescribed agency are, despite another Act or law, authorised to— ask for and receive information held by the other party to the arrangement or to which the other party has access; and disclose information to the other party.\n(sec.199-ssec.4) In this section— prescribed agency — means a department or administrative unit within a department that has functions related to whole of government cybersecurity management and operations; or a department or government entity of the State, another State or the Commonwealth that has functions related to protecting the privacy of individuals, whether or not the entity has other functions; or another department, public authority or government entity of the State, another State or the Commonwealth, prescribed by regulation for this paragraph.\n- (a) held by the information commissioner or the prescribed agency; or\n- (b) to which the information commissioner or prescribed agency has access.\n- (a) the information commissioner perform the commissioner’s functions under this Act; or\n- (b) the prescribed agency perform its functions.\n- (a) ask for and receive information held by the other party to the arrangement or to which the other party has access; and\n- (b) disclose information to the other party.\n- (a) means a department or administrative unit within a department that has functions related to whole of government cybersecurity management and operations; or\n- (b) a department or government entity of the State, another State or the Commonwealth that has functions related to protecting the privacy of individuals, whether or not the entity has other functions; or\n- (c) another department, public authority or government entity of the State, another State or the Commonwealth, prescribed by regulation for this paragraph.","sortOrder":239},{"sectionNumber":"sec.199A","sectionType":"section","heading":"Corporations legislation displacement","content":"### sec.199A Corporations legislation displacement\n\nA regulation may declare a provision of this Act that applies in relation to a prescribed corporation to be a Corporations legislation displacement provision for the purposes of the Corporations Act , section 5G .\nA regulation under subsection (1) may be declared to apply in relation to—\nthe whole of the Corporations legislation or a particular provision of the Corporations legislation; or\nall prescribed corporations or a particular prescribed corporation.\nIn this section—\nprescribed corporation means a corporation, within the meaning of the Corporations Act , that is declared under section 21 (1) (c) to be a public authority for this Act.\ns 199A ins 2023 No. 32 s 72\n(sec.199A-ssec.1) A regulation may declare a provision of this Act that applies in relation to a prescribed corporation to be a Corporations legislation displacement provision for the purposes of the Corporations Act , section 5G .\n(sec.199A-ssec.2) A regulation under subsection (1) may be declared to apply in relation to— the whole of the Corporations legislation or a particular provision of the Corporations legislation; or all prescribed corporations or a particular prescribed corporation.\n(sec.199A-ssec.3) In this section— prescribed corporation means a corporation, within the meaning of the Corporations Act , that is declared under section 21 (1) (c) to be a public authority for this Act.\n- (a) the whole of the Corporations legislation or a particular provision of the Corporations legislation; or\n- (b) all prescribed corporations or a particular prescribed corporation.","sortOrder":240},{"sectionNumber":"sec.200","sectionType":"section","heading":"Approval of forms","content":"### sec.200 Approval of forms\n\nThe chief executive may approve forms for use under this Act.","sortOrder":241},{"sectionNumber":"sec.201","sectionType":"section","heading":"Regulation-making power","content":"### sec.201 Regulation-making power\n\nThe Governor in Council may make regulations under this Act.","sortOrder":242},{"sectionNumber":"ch.8-pt.1","sectionType":"part","heading":"Transitional provisions for Act No. 14 of 2009","content":"# Transitional provisions for Act No. 14 of 2009","sortOrder":243},{"sectionNumber":"sec.202","sectionType":"section","heading":"Delayed application of Act other than ch 3 to local governments","content":"### sec.202 Delayed application of Act other than ch 3 to local governments\n\nThis Act, other than the relevant provisions, does not apply to a local government until 1 year after the commencement of this section.\nIn this section—\nrelevant provisions means—\nchapter 3; and\nthe other provisions of this Act to the extent they apply for the purposes of chapter 3.\n(sec.202-ssec.1) This Act, other than the relevant provisions, does not apply to a local government until 1 year after the commencement of this section.\n(sec.202-ssec.2) In this section— relevant provisions means— chapter 3; and the other provisions of this Act to the extent they apply for the purposes of chapter 3.\n- (a) chapter 3; and\n- (b) the other provisions of this Act to the extent they apply for the purposes of chapter 3.","sortOrder":244},{"sectionNumber":"sec.203","sectionType":"section","heading":"Outdated references","content":"### sec.203 Outdated references\n\nIn an Act or document, if the context permits, a reference to the Freedom of Information Act 1992 is taken to be a reference to this Act.","sortOrder":245},{"sectionNumber":"sec.204","sectionType":"section","heading":"Pre-enactment recruitment process","content":"### sec.204 Pre-enactment recruitment process\n\nAn appointment of a person as privacy commissioner after the enactment of this Act is not to be taken to be invalid only because action was taken in relation to the filling of the role of privacy commissioner before the enactment.","sortOrder":246},{"sectionNumber":"sec.205","sectionType":"section","heading":"Refusal to deal with application—previous application for same documents","content":"### sec.205 Refusal to deal with application—previous application for same documents\n\nFor section 62 or 63, a first application may be an application under the repealed Freedom of Information Act 1992 .","sortOrder":247},{"sectionNumber":"sec.206","sectionType":"section","heading":"Delayed filing of certified agreement with QCAT","content":"### sec.206 Delayed filing of certified agreement with QCAT\n\nThis section applies if—\na privacy complaint becomes the subject of a certified agreement under chapter 5 before QCAT comes into existence; and\nthe complainant or respondent for the complaint wishes to file a copy of the agreement with QCAT.\nThe agreement must be filed within 20 business days after QCAT comes into existence.\n(sec.206-ssec.1) This section applies if— a privacy complaint becomes the subject of a certified agreement under chapter 5 before QCAT comes into existence; and the complainant or respondent for the complaint wishes to file a copy of the agreement with QCAT.\n(sec.206-ssec.2) The agreement must be filed within 20 business days after QCAT comes into existence.\n- (a) a privacy complaint becomes the subject of a certified agreement under chapter 5 before QCAT comes into existence; and\n- (b) the complainant or respondent for the complaint wishes to file a copy of the agreement with QCAT.","sortOrder":248},{"sectionNumber":"sec.207","sectionType":"section","heading":"Delayed referral of privacy complaint to QCAT","content":"### sec.207 Delayed referral of privacy complaint to QCAT\n\nThis section applies if the information commissioner is required under chapter 5 to refer a privacy complaint to QCAT before QCAT comes into existence.\nThe commissioner must refer the privacy complaint to QCAT within 20 business days after QCAT comes into existence.\n(sec.207-ssec.1) This section applies if the information commissioner is required under chapter 5 to refer a privacy complaint to QCAT before QCAT comes into existence.\n(sec.207-ssec.2) The commissioner must refer the privacy complaint to QCAT within 20 business days after QCAT comes into existence.","sortOrder":249},{"sectionNumber":"sec.208","sectionType":"section","heading":"Delayed application to QCAT","content":"### sec.208 Delayed application to QCAT\n\nIf a person may appeal to the appeal tribunal under section 132 before QCAT comes into existence, the person may appeal to the appeal tribunal within 20 business days after QCAT comes into existence.\nIf a person may, within a period, apply to QCAT under section 133 before QCAT comes into existence, the person may apply to QCAT within that period after QCAT comes into existence.\n(sec.208-ssec.1) If a person may appeal to the appeal tribunal under section 132 before QCAT comes into existence, the person may appeal to the appeal tribunal within 20 business days after QCAT comes into existence.\n(sec.208-ssec.2) If a person may, within a period, apply to QCAT under section 133 before QCAT comes into existence, the person may apply to QCAT within that period after QCAT comes into existence.","sortOrder":250},{"sectionNumber":"sec.209","sectionType":"section","heading":"Privacy complaints to relate to actions after ch 5 commencement","content":"### sec.209 Privacy complaints to relate to actions after ch 5 commencement\n\nA privacy complaint may be made only about a breach of an entity’s obligation happening after the commencement of chapter 5.","sortOrder":251},{"sectionNumber":"sec.210","sectionType":"section","heading":"Continuing application of relevant information standards","content":"### sec.210 Continuing application of relevant information standards\n\nThis section applies if—\na contract or other arrangement (the relevant agreement ) entered into before the commencement, applies, or otherwise refers to, a relevant information standard; and\non or after the commencement, the relevant information standard is repealed, or the application of the standard in Queensland is otherwise ended.\nFor the purposes of the ongoing operation of the relevant agreement, the relevant information standard, as in force for the purposes of the relevant agreement immediately before the commencement, continues to apply for the purposes of the relevant agreement as if the standard still applied in Queensland in the same way it applied immediately before the commencement.\nIn this section—\ncommencement means the commencement of this section.\nrelevant information standard means an instrument applying in Queensland before the commencement of this section under the name of—\nInformation Standard No. 42; or\nInformation Standard No. 42A.\n(sec.210-ssec.1) This section applies if— a contract or other arrangement (the relevant agreement ) entered into before the commencement, applies, or otherwise refers to, a relevant information standard; and on or after the commencement, the relevant information standard is repealed, or the application of the standard in Queensland is otherwise ended.\n(sec.210-ssec.2) For the purposes of the ongoing operation of the relevant agreement, the relevant information standard, as in force for the purposes of the relevant agreement immediately before the commencement, continues to apply for the purposes of the relevant agreement as if the standard still applied in Queensland in the same way it applied immediately before the commencement.\n(sec.210-ssec.3) In this section— commencement means the commencement of this section. relevant information standard means an instrument applying in Queensland before the commencement of this section under the name of— Information Standard No. 42; or Information Standard No. 42A.\n- (a) a contract or other arrangement (the relevant agreement ) entered into before the commencement, applies, or otherwise refers to, a relevant information standard; and\n- (b) on or after the commencement, the relevant information standard is repealed, or the application of the standard in Queensland is otherwise ended.\n- (a) Information Standard No. 42; or\n- (b) Information Standard No. 42A.","sortOrder":252},{"sectionNumber":"sec.211","sectionType":"section","heading":"Acts and practices authorised before relevant date","content":"### sec.211 Acts and practices authorised before relevant date\n\nThe privacy principles do not apply to an entity in relation to an act done or practice engaged in by the entity on or after the relevant date if the act or practice is necessary for the performance of a contract entered into before the relevant date.\nIn this section—\nrelevant date means—\nfor an entity other than a local government—1 July 2009; or\nfor a local government—1 July 2010.\nUnder section 202, this Act (other than particular provisions mentioned in that section) does not apply to a local government until 1 July 2010.\ns 211 sub 2010 No. 23 s 268\n(sec.211-ssec.1) The privacy principles do not apply to an entity in relation to an act done or practice engaged in by the entity on or after the relevant date if the act or practice is necessary for the performance of a contract entered into before the relevant date.\n(sec.211-ssec.2) In this section— relevant date means— for an entity other than a local government—1 July 2009; or for a local government—1 July 2010. Under section 202, this Act (other than particular provisions mentioned in that section) does not apply to a local government until 1 July 2010.\n- (a) for an entity other than a local government—1 July 2009; or\n- (b) for a local government—1 July 2010.","sortOrder":253},{"sectionNumber":"ch.8-pt.2","sectionType":"part","heading":"Transitional provisions for State Penalties Enforcement and Other Legislation Amendment Act 2009","content":"# Transitional provisions for State Penalties Enforcement and Other Legislation Amendment Act 2009","sortOrder":254},{"sectionNumber":"sec.212","sectionType":"section","heading":"Definition for pt 2","content":"### sec.212 Definition for pt 2\n\nIn this part—\nrelevant period means the period starting on 1 July 2009 and ending immediately before the commencement of this part.\ns 212 ins 2009 No. 48 s 226","sortOrder":255},{"sectionNumber":"sec.213","sectionType":"section","heading":"Retrospective validation for particular delegations and directions","content":"### sec.213 Retrospective validation for particular delegations and directions\n\nA delegation, or an amendment of a delegation, made by a principal officer under this Act during the relevant period is taken to be, and always to have been, as valid as if section 50, as in force immediately after the commencement of this part, had been in force on the day the delegation, or the amendment, was made.\nA direction given by a Minister under this Act during the relevant period is taken to be, and always to have been, as valid as if section 51, as in force immediately after the commencement of this part, had been in force on the day the direction was given.\ns 213 ins 2009 No. 48 s 226\n(sec.213-ssec.1) A delegation, or an amendment of a delegation, made by a principal officer under this Act during the relevant period is taken to be, and always to have been, as valid as if section 50, as in force immediately after the commencement of this part, had been in force on the day the delegation, or the amendment, was made.\n(sec.213-ssec.2) A direction given by a Minister under this Act during the relevant period is taken to be, and always to have been, as valid as if section 51, as in force immediately after the commencement of this part, had been in force on the day the direction was given.","sortOrder":256},{"sectionNumber":"sec.214","sectionType":"section","heading":"Decision under s 69(2) is a reviewable decision","content":"### sec.214 Decision under s 69(2) is a reviewable decision\n\nIt is declared that a decision made during the relevant period stating the matters mentioned in section 69(2) is, and always has been, a reviewable decision under this Act as if section 69, as in force immediately after the commencement of this part, had been in force on the day the decision was made.\nDespite section 96(c) or 101(1)(d), an application for internal review or external review in relation to the decision may be made within 20 business days after the commencement of this part.\nIf an application for internal review or external review in relation to the decision is made before the commencement of this part, for the purposes of any review, the application is taken to have been made immediately after the commencement of this part.\ns 214 ins 2009 No. 48 s 226\n(sec.214-ssec.1) It is declared that a decision made during the relevant period stating the matters mentioned in section 69(2) is, and always has been, a reviewable decision under this Act as if section 69, as in force immediately after the commencement of this part, had been in force on the day the decision was made.\n(sec.214-ssec.2) Despite section 96(c) or 101(1)(d), an application for internal review or external review in relation to the decision may be made within 20 business days after the commencement of this part.\n(sec.214-ssec.3) If an application for internal review or external review in relation to the decision is made before the commencement of this part, for the purposes of any review, the application is taken to have been made immediately after the commencement of this part.","sortOrder":257},{"sectionNumber":"ch.8-pt.3","sectionType":"part","heading":"Transitional provisions for Information Privacy and Other Legislation Amendment Act 2023","content":"# Transitional provisions for Information Privacy and Other Legislation Amendment Act 2023","sortOrder":258},{"sectionNumber":"sec.215","sectionType":"section","heading":"Definitions for part","content":"### sec.215 Definitions for part\n\nIn this part—\namendment Act means the Information Privacy and Other Legislation Amendment Act 2023 .\nformer , for a provision of this Act, means the provision as in force from time to time before the commencement of the provision in which the term is used.\nformer IP Act means this Act as in force from time to time before the commencement of the provision in which the term is used.\ns 215 ins 2023 No. 32 s 73","sortOrder":259},{"sectionNumber":"sec.216","sectionType":"section","heading":"Existing bound contracted service providers","content":"### sec.216 Existing bound contracted service providers\n\nThis section applies in relation to a contracted service provider that, immediately before the commencement, was a bound contracted service provider required to comply with former chapter 2, part 1 or 2 and part 3 under former section 36.\nThe requirement to comply with former chapter 2, part 1 or 2 and part 3 continues to apply to the contracted service provider in relation to personal information it holds under the service arrangement.\nThis Act applies in relation to the contracted service provider as if a reference to the privacy principle requirements were a reference to the requirement to comply with former chapter 2, part 1 or 2 and part 3 under former section 36.\nSubsections (2) and (3) do not prevent the contracted service provider and agency agreeing to vary the service arrangement to require the contracted service provider to comply with chapter 2, parts 1 and 2 and section 41.\nThis section stops applying in relation to the contracted service provider if the service arrangement is varied as mentioned in subsection (4).\ns 216 ins 2023 No. 32 s 73\n(sec.216-ssec.1) This section applies in relation to a contracted service provider that, immediately before the commencement, was a bound contracted service provider required to comply with former chapter 2, part 1 or 2 and part 3 under former section 36.\n(sec.216-ssec.2) The requirement to comply with former chapter 2, part 1 or 2 and part 3 continues to apply to the contracted service provider in relation to personal information it holds under the service arrangement.\n(sec.216-ssec.3) This Act applies in relation to the contracted service provider as if a reference to the privacy principle requirements were a reference to the requirement to comply with former chapter 2, part 1 or 2 and part 3 under former section 36.\n(sec.216-ssec.4) Subsections (2) and (3) do not prevent the contracted service provider and agency agreeing to vary the service arrangement to require the contracted service provider to comply with chapter 2, parts 1 and 2 and section 41.\n(sec.216-ssec.5) This section stops applying in relation to the contracted service provider if the service arrangement is varied as mentioned in subsection (4).","sortOrder":260},{"sectionNumber":"sec.217","sectionType":"section","heading":"Existing access and amendment applications","content":"### sec.217 Existing access and amendment applications\n\nThis section applies if an application or purported application under former chapter 3 has been made, but not finalised, before the commencement.\nThe former IP Act continues to apply in relation to the application or purported application as if the amendment Act had not been enacted.\nFor subsection (1), an application or purported application under former chapter 3 has not been finalised until—\na decision on the application or purported application has been made or taken to have been made; and\neither—\nthe time for exercising any review rights or appeal rights in relation to the decision has ended without any rights being exercised; or\nany review or appeal in relation to the decision has ended.\nSee also the Right to Information Act , section 206Q .\ns 217 ins 2023 No. 32 s 73\n(sec.217-ssec.1) This section applies if an application or purported application under former chapter 3 has been made, but not finalised, before the commencement.\n(sec.217-ssec.2) The former IP Act continues to apply in relation to the application or purported application as if the amendment Act had not been enacted.\n(sec.217-ssec.3) For subsection (1), an application or purported application under former chapter 3 has not been finalised until— a decision on the application or purported application has been made or taken to have been made; and either— the time for exercising any review rights or appeal rights in relation to the decision has ended without any rights being exercised; or any review or appeal in relation to the decision has ended.\n- (a) a decision on the application or purported application has been made or taken to have been made; and\n- (b) either— (i) the time for exercising any review rights or appeal rights in relation to the decision has ended without any rights being exercised; or (ii) any review or appeal in relation to the decision has ended.\n- (i) the time for exercising any review rights or appeal rights in relation to the decision has ended without any rights being exercised; or\n- (ii) any review or appeal in relation to the decision has ended.\n- (i) the time for exercising any review rights or appeal rights in relation to the decision has ended without any rights being exercised; or\n- (ii) any review or appeal in relation to the decision has ended.","sortOrder":261},{"sectionNumber":"sec.218","sectionType":"section","heading":"Continued protection for giving access to or publishing chapter 3 documents","content":"### sec.218 Continued protection for giving access to or publishing chapter 3 documents\n\nThis section applies in relation to a chapter 3 document accessed or published—\nbefore the commencement; or\nunder section 217.\nFormer sections 179 and 181 continue to apply in relation to the authorising or giving of access to a chapter 3 document as if the amendment Act had not been enacted.\nFormer sections 180 and 182 continue to apply in relation to the publication of a chapter 3 document as if the amendment Act had not been enacted.\nIn this section—\nchapter 3 document means a chapter 3 document within the meaning of the former IP Act.\ns 218 ins 2023 No. 32 s 73\n(sec.218-ssec.1) This section applies in relation to a chapter 3 document accessed or published— before the commencement; or under section 217.\n(sec.218-ssec.2) Former sections 179 and 181 continue to apply in relation to the authorising or giving of access to a chapter 3 document as if the amendment Act had not been enacted.\n(sec.218-ssec.3) Former sections 180 and 182 continue to apply in relation to the publication of a chapter 3 document as if the amendment Act had not been enacted.\n(sec.218-ssec.4) In this section— chapter 3 document means a chapter 3 document within the meaning of the former IP Act.\n- (a) before the commencement; or\n- (b) under section 217.","sortOrder":262},{"sectionNumber":"sec.219","sectionType":"section","heading":"Delayed application of ch 3A to local governments","content":"### sec.219 Delayed application of ch 3A to local governments\n\nChapter 3A does not apply in relation to an agency that is a local government until the day that is 1 year after the commencement.\ns 219 ins 2023 No. 32 s 73","sortOrder":263},{"sectionNumber":"sec.220","sectionType":"section","heading":"Existing approvals under former s 157","content":"### sec.220 Existing approvals under former s 157\n\nA waiver or modification approval given under former section 157 lapses on the commencement of this section.\ns 220 ins 2023 No. 32 s 73","sortOrder":264},{"sectionNumber":"sec.221","sectionType":"section","heading":"Existing compliance notices under s 158","content":"### sec.221 Existing compliance notices under s 158\n\nThis section applies if—\nbefore the commencement, the information commissioner had given an agency a compliance notice under section 158 in relation to the privacy principles as in force before the commencement; and\nimmediately before the commencement, the time for complying with the notice under this Act had not ended.\nThe agency must comply with the notice in relation to the privacy principles under the former IP Act as if the amendment Act had not been enacted.\ns 221 ins 2023 No. 32 s 73\n(sec.221-ssec.1) This section applies if— before the commencement, the information commissioner had given an agency a compliance notice under section 158 in relation to the privacy principles as in force before the commencement; and immediately before the commencement, the time for complying with the notice under this Act had not ended.\n(sec.221-ssec.2) The agency must comply with the notice in relation to the privacy principles under the former IP Act as if the amendment Act had not been enacted.\n- (a) before the commencement, the information commissioner had given an agency a compliance notice under section 158 in relation to the privacy principles as in force before the commencement; and\n- (b) immediately before the commencement, the time for complying with the notice under this Act had not ended.","sortOrder":265},{"sectionNumber":"sec.222","sectionType":"section","heading":"Information commissioner may issue compliance notice for failure to comply with former IP Act","content":"### sec.222 Information commissioner may issue compliance notice for failure to comply with former IP Act\n\nThis section applies if—\nbefore the commencement, an agency had done an act or engaged in a practice in contravention of a requirement to comply with the privacy principles under the former IP Act; and\nimmediately before the commencement the information commissioner had not yet given a compliance notice to the agency under section 158 in relation to the act or practice; and\nthe act or practice also constitutes a contravention of the privacy principle requirements.\nThe information commissioner may give the agency a compliance notice under section 158 in relation to the act or practice.\ns 222 ins 2023 No. 32 s 73\n(sec.222-ssec.1) This section applies if— before the commencement, an agency had done an act or engaged in a practice in contravention of a requirement to comply with the privacy principles under the former IP Act; and immediately before the commencement the information commissioner had not yet given a compliance notice to the agency under section 158 in relation to the act or practice; and the act or practice also constitutes a contravention of the privacy principle requirements.\n(sec.222-ssec.2) The information commissioner may give the agency a compliance notice under section 158 in relation to the act or practice.\n- (a) before the commencement, an agency had done an act or engaged in a practice in contravention of a requirement to comply with the privacy principles under the former IP Act; and\n- (b) immediately before the commencement the information commissioner had not yet given a compliance notice to the agency under section 158 in relation to the act or practice; and\n- (c) the act or practice also constitutes a contravention of the privacy principle requirements.","sortOrder":266},{"sectionNumber":"sec.223","sectionType":"section","heading":"Privacy complaints about act or practice of relevant entity not yet made before commencement","content":"### sec.223 Privacy complaints about act or practice of relevant entity not yet made before commencement\n\nThis section applies if—\nbefore the commencement, a person could have made a privacy complaint under former chapter 5, part 1 about an act or practice engaged in by a relevant entity before the commencement; and\nimmediately before the commencement, the privacy complaint had not been made.\nThe privacy complaint may be made under former chapter 5, and former chapter 5 continues to apply in relation to the complaint, as if the amendment Act had not been enacted.\ns 223 ins 2023 No. 32 s 73\n(sec.223-ssec.1) This section applies if— before the commencement, a person could have made a privacy complaint under former chapter 5, part 1 about an act or practice engaged in by a relevant entity before the commencement; and immediately before the commencement, the privacy complaint had not been made.\n(sec.223-ssec.2) The privacy complaint may be made under former chapter 5, and former chapter 5 continues to apply in relation to the complaint, as if the amendment Act had not been enacted.\n- (a) before the commencement, a person could have made a privacy complaint under former chapter 5, part 1 about an act or practice engaged in by a relevant entity before the commencement; and\n- (b) immediately before the commencement, the privacy complaint had not been made.","sortOrder":267},{"sectionNumber":"sec.224","sectionType":"section","heading":"Privacy complaints made but not finalised before commencement","content":"### sec.224 Privacy complaints made but not finalised before commencement\n\nThis section applies if—\nbefore the commencement, a privacy complaint was made or referred to the information commissioner under former chapter 5, part 1; and\nimmediately before the commencement, the complaint, or a part of the complaint, had not been finalised.\nFormer chapter 5 continues to apply in relation to the privacy complaint or part of the privacy complaint as if the amendment Act had not been enacted.\nFor subsection (1)(b), a privacy complaint or part of a privacy complaint is finalised if—\nany of the following apply—\nthe information commissioner has declined to deal, or continue to deal, with the complaint or part under former section 168;\nthe information commissioner has referred the privacy complaint or part to another entity under section 169;\na mediated agreement has been certified for the privacy complaint or part under section 172;\nQCAT has disposed of the complaint or part under former section 178; and\nthe time for exercising any review or appeal rights in relation to a matter mentioned in paragraph (a) has ended without any rights being exercised.\ns 224 ins 2023 No. 32 s 73\n(sec.224-ssec.1) This section applies if— before the commencement, a privacy complaint was made or referred to the information commissioner under former chapter 5, part 1; and immediately before the commencement, the complaint, or a part of the complaint, had not been finalised.\n(sec.224-ssec.2) Former chapter 5 continues to apply in relation to the privacy complaint or part of the privacy complaint as if the amendment Act had not been enacted.\n(sec.224-ssec.3) For subsection (1)(b), a privacy complaint or part of a privacy complaint is finalised if— any of the following apply— the information commissioner has declined to deal, or continue to deal, with the complaint or part under former section 168; the information commissioner has referred the privacy complaint or part to another entity under section 169; a mediated agreement has been certified for the privacy complaint or part under section 172; QCAT has disposed of the complaint or part under former section 178; and the time for exercising any review or appeal rights in relation to a matter mentioned in paragraph (a) has ended without any rights being exercised.\n- (a) before the commencement, a privacy complaint was made or referred to the information commissioner under former chapter 5, part 1; and\n- (b) immediately before the commencement, the complaint, or a part of the complaint, had not been finalised.\n- (a) any of the following apply— (i) the information commissioner has declined to deal, or continue to deal, with the complaint or part under former section 168; (ii) the information commissioner has referred the privacy complaint or part to another entity under section 169; (iii) a mediated agreement has been certified for the privacy complaint or part under section 172; (iv) QCAT has disposed of the complaint or part under former section 178; and\n- (i) the information commissioner has declined to deal, or continue to deal, with the complaint or part under former section 168;\n- (ii) the information commissioner has referred the privacy complaint or part to another entity under section 169;\n- (iii) a mediated agreement has been certified for the privacy complaint or part under section 172;\n- (iv) QCAT has disposed of the complaint or part under former section 178; and\n- (b) the time for exercising any review or appeal rights in relation to a matter mentioned in paragraph (a) has ended without any rights being exercised.\n- (i) the information commissioner has declined to deal, or continue to deal, with the complaint or part under former section 168;\n- (ii) the information commissioner has referred the privacy complaint or part to another entity under section 169;\n- (iii) a mediated agreement has been certified for the privacy complaint or part under section 172;\n- (iv) QCAT has disposed of the complaint or part under former section 178; and","sortOrder":268},{"sectionNumber":"sec.225","sectionType":"section","heading":"Continuation of sections 185 and 187 for chapter 3 documents","content":"### sec.225 Continuation of sections 185 and 187 for chapter 3 documents\n\nThis section applies in relation to an offence against former section 185 or 187 committed in relation to a chapter 3 document by a person before the commencement.\nWithout limiting the Acts Interpretation Act 1954 , section 20 , a proceeding for the offence may be continued or started, and the person may be convicted of and punished for the offence, as if the amendment Act, sections 61 and 63 had not commenced.\nSubsection (2) applies despite the Criminal Code , section 11 .\ns 225 ins 2023 No. 32 s 73\n(sec.225-ssec.1) This section applies in relation to an offence against former section 185 or 187 committed in relation to a chapter 3 document by a person before the commencement.\n(sec.225-ssec.2) Without limiting the Acts Interpretation Act 1954 , section 20 , a proceeding for the offence may be continued or started, and the person may be convicted of and punished for the offence, as if the amendment Act, sections 61 and 63 had not commenced.\n(sec.225-ssec.3) Subsection (2) applies despite the Criminal Code , section 11 .","sortOrder":269},{"sectionNumber":"sch.2-pt.1","sectionType":"part","heading":"Excluded entities","content":"# Excluded entities","sortOrder":270},{"sectionNumber":"sch.2-pt.2","sectionType":"part","heading":"Entities that are excluded entities in relation to a particular function","content":"# Entities that are excluded entities in relation to a particular function","sortOrder":271},{"sectionNumber":"sch.3-pt.1","sectionType":"part","heading":"Consideration of personal information privacy","content":"# Consideration of personal information privacy","sortOrder":272},{"sectionNumber":"sch.3-sec.1","sectionType":"section","heading":"QPP 1—open and transparent management of personal information","content":"### sch.3-sec.1 QPP 1—open and transparent management of personal information\n\nThe object of this QPP is to ensure that agencies manage personal information in an open and transparent way.\nCompliance with the QPPs etc.\nAn agency must take reasonable steps to implement practices, procedures and systems relating to the agency’s functions or activities that—\nwill ensure the agency complies with the QPPs and any QPP code that binds the agency; and\nwill enable the agency to deal with inquiries and complaints from individuals about the agency’s compliance with the QPPs or any QPP code that binds the agency.\nQPP privacy policy\nAn agency must have a clearly expressed and up-to-date policy (the QPP privacy policy ) about the management of personal information by the agency.\nWithout limiting QPP 1.3, the QPP privacy policy of the agency must contain the following information—\nthe kinds of personal information that the agency collects and holds;\nhow the agency collects and holds personal information;\nthe purposes for which the agency collects, holds, uses and discloses personal information;\nhow an individual may access personal information about the individual that is held by the agency and seek the correction of the information;\nhow an individual may complain about a breach of the QPPs, or any QPP code that binds the agency, and how the agency will deal with the complaint;\nwhether the agency is likely to disclose personal information to entities outside Australia;\nif the agency is likely to disclose personal information to entities outside of Australia—the countries in which the recipients are likely to be located if it is practicable to state those countries in the policy.\nAvailability of QPP privacy policy etc.\nAn agency must take reasonable steps to make its QPP privacy policy available—\nfree of charge; and\nin an appropriate form.\npublication on the agency’s website\nIf a person requests a copy of the QPP privacy policy of an agency in a particular form, the agency must take reasonable steps to give the person a copy in that form.\nsch 3 s 1 sub 2023 No. 32 s 74\n(sch.3-sec.1-ssec.1.1) The object of this QPP is to ensure that agencies manage personal information in an open and transparent way.\n(sch.3-sec.1-ssec) Compliance with the QPPs etc.\n(sch.3-sec.1-ssec.1.2) An agency must take reasonable steps to implement practices, procedures and systems relating to the agency’s functions or activities that— will ensure the agency complies with the QPPs and any QPP code that binds the agency; and will enable the agency to deal with inquiries and complaints from individuals about the agency’s compliance with the QPPs or any QPP code that binds the agency.\n(sch.3-sec.1-ssec-oc.2) QPP privacy policy\n(sch.3-sec.1-ssec.1.3) An agency must have a clearly expressed and up-to-date policy (the QPP privacy policy ) about the management of personal information by the agency.\n(sch.3-sec.1-ssec.1.4) Without limiting QPP 1.3, the QPP privacy policy of the agency must contain the following information— the kinds of personal information that the agency collects and holds; how the agency collects and holds personal information; the purposes for which the agency collects, holds, uses and discloses personal information; how an individual may access personal information about the individual that is held by the agency and seek the correction of the information; how an individual may complain about a breach of the QPPs, or any QPP code that binds the agency, and how the agency will deal with the complaint; whether the agency is likely to disclose personal information to entities outside Australia; if the agency is likely to disclose personal information to entities outside of Australia—the countries in which the recipients are likely to be located if it is practicable to state those countries in the policy.\n(sch.3-sec.1-ssec-oc.3) Availability of QPP privacy policy etc.\n(sch.3-sec.1-ssec.1.5) An agency must take reasonable steps to make its QPP privacy policy available— free of charge; and in an appropriate form. publication on the agency’s website\n(sch.3-sec.1-ssec.1.6) If a person requests a copy of the QPP privacy policy of an agency in a particular form, the agency must take reasonable steps to give the person a copy in that form.\n- (a) will ensure the agency complies with the QPPs and any QPP code that binds the agency; and\n- (b) will enable the agency to deal with inquiries and complaints from individuals about the agency’s compliance with the QPPs or any QPP code that binds the agency.\n- (a) the kinds of personal information that the agency collects and holds;\n- (b) how the agency collects and holds personal information;\n- (c) the purposes for which the agency collects, holds, uses and discloses personal information;\n- (d) how an individual may access personal information about the individual that is held by the agency and seek the correction of the information;\n- (e) how an individual may complain about a breach of the QPPs, or any QPP code that binds the agency, and how the agency will deal with the complaint;\n- (f) whether the agency is likely to disclose personal information to entities outside Australia;\n- (g) if the agency is likely to disclose personal information to entities outside of Australia—the countries in which the recipients are likely to be located if it is practicable to state those countries in the policy.\n- (a) free of charge; and\n- (b) in an appropriate form.","sortOrder":273},{"sectionNumber":"sch.3-sec.2","sectionType":"section","heading":"QPP 2—anonymity and pseudonymity","content":"### sch.3-sec.2 QPP 2—anonymity and pseudonymity\n\nIndividuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an agency in relation to a particular matter.\nQPP 2.1 does not apply if, in relation to the matter—\nthe agency is required or authorised under an Australian law, or a court or tribunal order, to deal with individuals who have identified themselves; or\nit is impracticable for the agency to deal with individuals who have not identified themselves or who have used a pseudonym.\nsch 3 s 2 amd 2017 No. 17 s 128\nsub 2023 No. 32 s 74\n(sch.3-sec.2-ssec.2.1) Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an agency in relation to a particular matter.\n(sch.3-sec.2-ssec.2.2) QPP 2.1 does not apply if, in relation to the matter— the agency is required or authorised under an Australian law, or a court or tribunal order, to deal with individuals who have identified themselves; or it is impracticable for the agency to deal with individuals who have not identified themselves or who have used a pseudonym.\n- (a) the agency is required or authorised under an Australian law, or a court or tribunal order, to deal with individuals who have identified themselves; or\n- (b) it is impracticable for the agency to deal with individuals who have not identified themselves or who have used a pseudonym.","sortOrder":274},{"sectionNumber":"sch.3-pt.2","sectionType":"part","heading":"Collection of personal information","content":"# Collection of personal information","sortOrder":275},{"sectionNumber":"sch.3-sec.3","sectionType":"section","heading":"QPP 3—collection of solicited personal information","content":"### sch.3-sec.3 QPP 3—collection of solicited personal information\n\nPersonal information other than sensitive information\nAn agency must not collect personal information, other than sensitive information, unless the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities.\nThe equivalent APP includes a provision applying to certain private sector entities (see APP 3.2).\nSensitive information\nAn agency must not collect sensitive information about an individual unless—\nthe individual consents to the collection of the information and the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities; or\nThe equivalent APP includes a provision applying to certain private sector entities (see APP 3.3(a)(ii)).\nQPP 3.4 applies in relation to the information.\nThis QPP applies in relation to sensitive information about an individual if—\nthe collection of the information is required or authorised under an Australian law or a court or tribunal order; or\na permitted general situation exists in relation to the collection of the information by the agency; or\nPermitted general situations are stated in schedule 4 , part 1 .\nthe agency is a health agency and a permitted health situation exists in relation to the collection of the information by the agency; or\nPermitted health situations are stated in schedule 4 , part 2 .\nthe agency is a law enforcement agency and the agency reasonably believes that the collection of the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities.\nThe equivalent APP includes a provision applying to—\nthe Commonwealth Immigration Department (see APP 3.4(d)(i)); and\nnon-profit organisations (see APP 3.4(e)).\nMeans of collection\nAn agency must collect personal information only by lawful and fair means.\nAn agency must collect personal information about an individual only from the individual unless—\neither—\nthe individual consents to the collection of the information from someone other than the individual; or\nthe agency is required or authorised under an Australian law, or a court or tribunal order, to collect the information from someone other than the individual; or\nit is unreasonable or impracticable to do so.\nSolicited personal information\nThis QPP applies to the collection of personal information that is solicited by an agency.\nsch 3 s 3 sub 2023 No. 32 s 74\n(sch.3-sec.3-ssec) Personal information other than sensitive information\n(sch.3-sec.3-ssec.3.1) An agency must not collect personal information, other than sensitive information, unless the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities. The equivalent APP includes a provision applying to certain private sector entities (see APP 3.2).\n(sch.3-sec.3-ssec-oc.2) Sensitive information\n(sch.3-sec.3-ssec.3.3) An agency must not collect sensitive information about an individual unless— the individual consents to the collection of the information and the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities; or The equivalent APP includes a provision applying to certain private sector entities (see APP 3.3(a)(ii)). QPP 3.4 applies in relation to the information.\n(sch.3-sec.3-ssec.3.4) This QPP applies in relation to sensitive information about an individual if— the collection of the information is required or authorised under an Australian law or a court or tribunal order; or a permitted general situation exists in relation to the collection of the information by the agency; or Permitted general situations are stated in schedule 4 , part 1 . the agency is a health agency and a permitted health situation exists in relation to the collection of the information by the agency; or Permitted health situations are stated in schedule 4 , part 2 . the agency is a law enforcement agency and the agency reasonably believes that the collection of the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities. The equivalent APP includes a provision applying to— the Commonwealth Immigration Department (see APP 3.4(d)(i)); and non-profit organisations (see APP 3.4(e)).\n(sch.3-sec.3-ssec-oc.3) Means of collection\n(sch.3-sec.3-ssec.3.5) An agency must collect personal information only by lawful and fair means.\n(sch.3-sec.3-ssec.3.6) An agency must collect personal information about an individual only from the individual unless— either— the individual consents to the collection of the information from someone other than the individual; or the agency is required or authorised under an Australian law, or a court or tribunal order, to collect the information from someone other than the individual; or it is unreasonable or impracticable to do so.\n(sch.3-sec.3-ssec-oc.4) Solicited personal information\n(sch.3-sec.3-ssec.3.7) This QPP applies to the collection of personal information that is solicited by an agency.\n- (a) the individual consents to the collection of the information and the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities; or Editor’s note— The equivalent APP includes a provision applying to certain private sector entities (see APP 3.3(a)(ii)).\n- (b) QPP 3.4 applies in relation to the information.\n- (a) the collection of the information is required or authorised under an Australian law or a court or tribunal order; or\n- (b) a permitted general situation exists in relation to the collection of the information by the agency; or Note— Permitted general situations are stated in schedule 4 , part 1 .\n- (c) the agency is a health agency and a permitted health situation exists in relation to the collection of the information by the agency; or Note— Permitted health situations are stated in schedule 4 , part 2 .\n- (d) the agency is a law enforcement agency and the agency reasonably believes that the collection of the information is reasonably necessary for, or directly related to, 1 or more of the agency’s functions or activities. Editor’s note— The equivalent APP includes a provision applying to— (a) the Commonwealth Immigration Department (see APP 3.4(d)(i)); and (b) non-profit organisations (see APP 3.4(e)).\n- (a) the Commonwealth Immigration Department (see APP 3.4(d)(i)); and\n- (b) non-profit organisations (see APP 3.4(e)).\n- (a) the Commonwealth Immigration Department (see APP 3.4(d)(i)); and\n- (b) non-profit organisations (see APP 3.4(e)).\n- (a) either— (i) the individual consents to the collection of the information from someone other than the individual; or (ii) the agency is required or authorised under an Australian law, or a court or tribunal order, to collect the information from someone other than the individual; or\n- (i) the individual consents to the collection of the information from someone other than the individual; or\n- (ii) the agency is required or authorised under an Australian law, or a court or tribunal order, to collect the information from someone other than the individual; or\n- (b) it is unreasonable or impracticable to do so.\n- (i) the individual consents to the collection of the information from someone other than the individual; or\n- (ii) the agency is required or authorised under an Australian law, or a court or tribunal order, to collect the information from someone other than the individual; or","sortOrder":276},{"sectionNumber":"sch.3-sec.4","sectionType":"section","heading":"QPP 4—dealing with unsolicited personal information","content":"### sch.3-sec.4 QPP 4—dealing with unsolicited personal information\n\nIf—\nan agency receives personal information; and\nthe agency did not solicit the information;\nthe agency must, within a reasonable period after receiving the information, decide whether or not the agency could have collected the information under QPP 3 if the agency had solicited the information.\nThe agency may use or disclose the personal information for the purposes of making the decision under QPP 4.1.\nIf—\nthe agency decides the agency could not have collected the personal information; and\nthe information is not contained in a public record;\nthe agency must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.\nIf QPP 4.3 does not apply in relation to the personal information, QPPs 5 to 13 apply in relation to the information as if the agency had collected the information under QPP 3.\nsch 3 s 4 sub 2023 No. 32 s 74\n(sch.3-sec.4-ssec.4.1) If— an agency receives personal information; and the agency did not solicit the information; the agency must, within a reasonable period after receiving the information, decide whether or not the agency could have collected the information under QPP 3 if the agency had solicited the information.\n(sch.3-sec.4-ssec.4.2) The agency may use or disclose the personal information for the purposes of making the decision under QPP 4.1.\n(sch.3-sec.4-ssec.4.3) If— the agency decides the agency could not have collected the personal information; and the information is not contained in a public record; the agency must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.\n(sch.3-sec.4-ssec.4.4) If QPP 4.3 does not apply in relation to the personal information, QPPs 5 to 13 apply in relation to the information as if the agency had collected the information under QPP 3.\n- (a) an agency receives personal information; and\n- (b) the agency did not solicit the information;\n- (a) the agency decides the agency could not have collected the personal information; and\n- (b) the information is not contained in a public record;","sortOrder":277},{"sectionNumber":"sch.3-sec.5","sectionType":"section","heading":"QPP 5—notification of the collection of personal information","content":"### sch.3-sec.5 QPP 5—notification of the collection of personal information\n\nAt or before the time or, if that is not practicable, as soon as practicable after, an agency collects personal information about an individual, the agency must take steps, if any, that are reasonable in the circumstances to—\nnotify the individual of the matters mentioned in QPP 5.2 that are reasonable in the circumstances; or\notherwise ensure that the individual is aware of those matters.\nThe matters for QPP 5.1 are the following—\nthe identity and contact details of the agency;\nif—\nthe agency collects the personal information from someone other than the individual; or\nthe individual may not be aware that the agency has collected the personal information;\nthe fact that the agency collects, or has collected, the information and the circumstances of that collection;\nif the collection of the personal information is required or authorised under an Australian law, or a court or tribunal order—the fact that the collection is required or authorised, including the name of the Australian law, or details for the court or tribunal order, that requires or authorises the collection;\nthe purposes for which the agency collects the personal information;\nthe main consequences, if any, for the individual if all or some of the personal information is not collected by the agency;\nany other agency or entity, or the kinds of any other agencies or entities, to which the agency usually discloses personal information of the kind collected by the agency;\nthat the QPP privacy policy of the agency contains information about how the individual may access the personal information about the individual that is held by the agency and seek the correction of the information;\nthat the QPP privacy policy of the agency contains information about how the individual may complain about a breach of the QPPs, or any QPP code that binds the agency, and how the agency will deal with the complaint;\nwhether the agency is likely to disclose the personal information to entities outside of Australia;\nif the agency is likely to disclose the personal information to entities outside of Australia—the countries in which the recipients are likely to be located if it is practicable to state those countries in the notification or to otherwise make the individual aware of them.\nsch 3 s 5 sub 2023 No. 32 s 74\n(sch.3-sec.5-ssec.5.1) At or before the time or, if that is not practicable, as soon as practicable after, an agency collects personal information about an individual, the agency must take steps, if any, that are reasonable in the circumstances to— notify the individual of the matters mentioned in QPP 5.2 that are reasonable in the circumstances; or otherwise ensure that the individual is aware of those matters.\n(sch.3-sec.5-ssec.5.2) The matters for QPP 5.1 are the following— the identity and contact details of the agency; if— the agency collects the personal information from someone other than the individual; or the individual may not be aware that the agency has collected the personal information; the fact that the agency collects, or has collected, the information and the circumstances of that collection; if the collection of the personal information is required or authorised under an Australian law, or a court or tribunal order—the fact that the collection is required or authorised, including the name of the Australian law, or details for the court or tribunal order, that requires or authorises the collection; the purposes for which the agency collects the personal information; the main consequences, if any, for the individual if all or some of the personal information is not collected by the agency; any other agency or entity, or the kinds of any other agencies or entities, to which the agency usually discloses personal information of the kind collected by the agency; that the QPP privacy policy of the agency contains information about how the individual may access the personal information about the individual that is held by the agency and seek the correction of the information; that the QPP privacy policy of the agency contains information about how the individual may complain about a breach of the QPPs, or any QPP code that binds the agency, and how the agency will deal with the complaint; whether the agency is likely to disclose the personal information to entities outside of Australia; if the agency is likely to disclose the personal information to entities outside of Australia—the countries in which the recipients are likely to be located if it is practicable to state those countries in the notification or to otherwise make the individual aware of them.\n- (a) notify the individual of the matters mentioned in QPP 5.2 that are reasonable in the circumstances; or\n- (b) otherwise ensure that the individual is aware of those matters.\n- (a) the identity and contact details of the agency;\n- (b) if— (i) the agency collects the personal information from someone other than the individual; or (ii) the individual may not be aware that the agency has collected the personal information; the fact that the agency collects, or has collected, the information and the circumstances of that collection;\n- (i) the agency collects the personal information from someone other than the individual; or\n- (ii) the individual may not be aware that the agency has collected the personal information;\n- (c) if the collection of the personal information is required or authorised under an Australian law, or a court or tribunal order—the fact that the collection is required or authorised, including the name of the Australian law, or details for the court or tribunal order, that requires or authorises the collection;\n- (d) the purposes for which the agency collects the personal information;\n- (e) the main consequences, if any, for the individual if all or some of the personal information is not collected by the agency;\n- (f) any other agency or entity, or the kinds of any other agencies or entities, to which the agency usually discloses personal information of the kind collected by the agency;\n- (g) that the QPP privacy policy of the agency contains information about how the individual may access the personal information about the individual that is held by the agency and seek the correction of the information;\n- (h) that the QPP privacy policy of the agency contains information about how the individual may complain about a breach of the QPPs, or any QPP code that binds the agency, and how the agency will deal with the complaint;\n- (i) whether the agency is likely to disclose the personal information to entities outside of Australia;\n- (j) if the agency is likely to disclose the personal information to entities outside of Australia—the countries in which the recipients are likely to be located if it is practicable to state those countries in the notification or to otherwise make the individual aware of them.\n- (i) the agency collects the personal information from someone other than the individual; or\n- (ii) the individual may not be aware that the agency has collected the personal information;","sortOrder":278},{"sectionNumber":"sch.3-pt.3","sectionType":"part","heading":"Dealing with personal information","content":"# Dealing with personal information","sortOrder":279},{"sectionNumber":"sch.3-sec.6","sectionType":"section","heading":"QPP 6—use or disclosure of personal information","content":"### sch.3-sec.6 QPP 6—use or disclosure of personal information\n\nUse or disclosure\nIf an agency holds personal information about an individual that was collected for a particular purpose (the primary purpose ), the agency must not use or disclose the information for another purpose (the secondary purpose ) unless—\nthe individual has consented to the use or disclosure of the information; or\nQPP 6.2 applies in relation to the use or disclosure of the information.\nThis QPP applies in relation to the use or disclosure of personal information about an individual if—\nthe individual would reasonably expect the agency to use or disclose the information for the secondary purpose and the secondary purpose is—\nif the information is sensitive information—directly related to the primary purpose; or\nif the information is not sensitive information—related to the primary purpose; or\nthe use or disclosure of the information is required or authorised under an Australian law or a court or tribunal order; or\na permitted general situation exists in relation to the use or disclosure of the information by the agency; or\nPermitted general situations are stated in schedule 4 , part 1 .\nthe agency is a health agency and a permitted health situation exists in relation to the use or disclosure of the information by the agency; or\nPermitted health situations are stated in schedule 4 , part 2 .\nthe agency reasonably believes the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by a law enforcement agency; or\nall of the following apply—\nASIO has asked the agency to disclose the personal information;\nan officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions;\nthe disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information; or\nQPP 6.2(f) applies in relation to Queensland agencies and does not correspond to an APP.\nall of the following apply—\nthe use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;\nthe use or disclosure does not involve the publication of all or any of the personal information in a form that identifies any individual;\nit is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use or disclosure;\nif the personal information is disclosed to another entity—the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.\nQPP 6.2(g) applies in relation to Queensland agencies and does not correspond to an APP.\nThe Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle about the disclosure of personal information that is biometric information or biometric templates to an enforcement body in certain circumstances (see APP 6.3).\nThere is no equivalent QPP for APP 6.3.\nIf—\nthe agency is a health agency; and\nschedule 4 , part 2 , section 3 applied in relation to the collection of the personal information by the agency;\nthe agency must take reasonable steps to ensure the information is de-identified before the agency discloses it under QPP 6.1 or QPP 6.2.\nWritten note of use or disclosure\nIf an agency uses or discloses personal information in accordance with QPP 6.2(e), the agency must make a written note of the use or disclosure.\nThe equivalent APP includes a provision applying to certain private sector entities (see APP 6.6 and APP 6.7).\nsch 3 s 6 sub 2023 No. 32 s 74\n(sch.3-sec.6-ssec) Use or disclosure\n(sch.3-sec.6-ssec.6.1) If an agency holds personal information about an individual that was collected for a particular purpose (the primary purpose ), the agency must not use or disclose the information for another purpose (the secondary purpose ) unless— the individual has consented to the use or disclosure of the information; or QPP 6.2 applies in relation to the use or disclosure of the information.\n(sch.3-sec.6-ssec.6.2) This QPP applies in relation to the use or disclosure of personal information about an individual if— the individual would reasonably expect the agency to use or disclose the information for the secondary purpose and the secondary purpose is— if the information is sensitive information—directly related to the primary purpose; or if the information is not sensitive information—related to the primary purpose; or the use or disclosure of the information is required or authorised under an Australian law or a court or tribunal order; or a permitted general situation exists in relation to the use or disclosure of the information by the agency; or Permitted general situations are stated in schedule 4 , part 1 . the agency is a health agency and a permitted health situation exists in relation to the use or disclosure of the information by the agency; or Permitted health situations are stated in schedule 4 , part 2 . the agency reasonably believes the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by a law enforcement agency; or all of the following apply— ASIO has asked the agency to disclose the personal information; an officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions; the disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information; or QPP 6.2(f) applies in relation to Queensland agencies and does not correspond to an APP. all of the following apply— the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest; the use or disclosure does not involve the publication of all or any of the personal information in a form that identifies any individual; it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use or disclosure; if the personal information is disclosed to another entity—the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity. QPP 6.2(g) applies in relation to Queensland agencies and does not correspond to an APP. The Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle about the disclosure of personal information that is biometric information or biometric templates to an enforcement body in certain circumstances (see APP 6.3). There is no equivalent QPP for APP 6.3.\n(sch.3-sec.6-ssec.6.4) If— the agency is a health agency; and schedule 4 , part 2 , section 3 applied in relation to the collection of the personal information by the agency; the agency must take reasonable steps to ensure the information is de-identified before the agency discloses it under QPP 6.1 or QPP 6.2.\n(sch.3-sec.6-ssec-oc.2) Written note of use or disclosure\n(sch.3-sec.6-ssec.6.5) If an agency uses or discloses personal information in accordance with QPP 6.2(e), the agency must make a written note of the use or disclosure. The equivalent APP includes a provision applying to certain private sector entities (see APP 6.6 and APP 6.7).\n- (a) the individual has consented to the use or disclosure of the information; or\n- (b) QPP 6.2 applies in relation to the use or disclosure of the information.\n- (a) the individual would reasonably expect the agency to use or disclose the information for the secondary purpose and the secondary purpose is— (i) if the information is sensitive information—directly related to the primary purpose; or (ii) if the information is not sensitive information—related to the primary purpose; or\n- (i) if the information is sensitive information—directly related to the primary purpose; or\n- (ii) if the information is not sensitive information—related to the primary purpose; or\n- (b) the use or disclosure of the information is required or authorised under an Australian law or a court or tribunal order; or\n- (c) a permitted general situation exists in relation to the use or disclosure of the information by the agency; or Note— Permitted general situations are stated in schedule 4 , part 1 .\n- (d) the agency is a health agency and a permitted health situation exists in relation to the use or disclosure of the information by the agency; or Note— Permitted health situations are stated in schedule 4 , part 2 .\n- (e) the agency reasonably believes the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by a law enforcement agency; or\n- (f) all of the following apply— (i) ASIO has asked the agency to disclose the personal information; (ii) an officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions; (iii) the disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information; or Editor’s note— QPP 6.2(f) applies in relation to Queensland agencies and does not correspond to an APP.\n- (i) ASIO has asked the agency to disclose the personal information;\n- (ii) an officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions;\n- (iii) the disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information; or\n- (g) all of the following apply— (i) the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest; (ii) the use or disclosure does not involve the publication of all or any of the personal information in a form that identifies any individual; (iii) it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use or disclosure; (iv) if the personal information is disclosed to another entity—the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity. Editor’s notes— 1 QPP 6.2(g) applies in relation to Queensland agencies and does not correspond to an APP. 2 The Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle about the disclosure of personal information that is biometric information or biometric templates to an enforcement body in certain circumstances (see APP 6.3). There is no equivalent QPP for APP 6.3.\n- (i) the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;\n- (ii) the use or disclosure does not involve the publication of all or any of the personal information in a form that identifies any individual;\n- (iii) it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use or disclosure;\n- (iv) if the personal information is disclosed to another entity—the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.\n- 1 QPP 6.2(g) applies in relation to Queensland agencies and does not correspond to an APP.\n- 2 The Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle about the disclosure of personal information that is biometric information or biometric templates to an enforcement body in certain circumstances (see APP 6.3). There is no equivalent QPP for APP 6.3.\n- (i) if the information is sensitive information—directly related to the primary purpose; or\n- (ii) if the information is not sensitive information—related to the primary purpose; or\n- (i) ASIO has asked the agency to disclose the personal information;\n- (ii) an officer or employee of ASIO authorised in writing by the director-general of ASIO for this paragraph has certified in writing that the personal information is required in connection with the performance by ASIO of its functions;\n- (iii) the disclosure is made to an officer or employee of ASIO authorised in writing by the director-general of ASIO to receive the personal information; or\n- (i) the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest;\n- (ii) the use or disclosure does not involve the publication of all or any of the personal information in a form that identifies any individual;\n- (iii) it is not practicable to obtain the express or implied agreement of each individual the subject of the personal information before the use or disclosure;\n- (iv) if the personal information is disclosed to another entity—the agency is satisfied on reasonable grounds that the relevant entity will not disclose the personal information to another entity.\n- 1 QPP 6.2(g) applies in relation to Queensland agencies and does not correspond to an APP.\n- 2 The Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle about the disclosure of personal information that is biometric information or biometric templates to an enforcement body in certain circumstances (see APP 6.3). There is no equivalent QPP for APP 6.3.\n- (a) the agency is a health agency; and\n- (b) schedule 4 , part 2 , section 3 applied in relation to the collection of the personal information by the agency;","sortOrder":280},{"sectionNumber":"sch.3-sec.7","sectionType":"section","heading":"QPP 7—direct marketing","content":"### sch.3-sec.7 QPP 7—direct marketing\n\nThe Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle prohibiting direct marketing by certain private sector entities (see APP 7).\nThere is no equivalent QPP for APP 7.\nQPP 6 is relevant to the use or disclosure of personal information for the purpose of direct marketing.\nsch 3 s 7 sub 2023 No. 32 s 74","sortOrder":281},{"sectionNumber":"sch.3-sec.8","sectionType":"section","heading":"QPP 8—cross-border disclosure of personal information","content":"### sch.3-sec.8 QPP 8—cross-border disclosure of personal information\n\nThe Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle about requirements for cross-border disclosure of personal information (see APP 8).\nThere is no equivalent QPP for APP 8.\nsch 3 s 8 sub 2023 No. 32 s 74","sortOrder":282},{"sectionNumber":"sch.3-sec.9","sectionType":"section","heading":"QPP 9—adoption, use or disclosure of government related identifiers","content":"### sch.3-sec.9 QPP 9—adoption, use or disclosure of government related identifiers\n\nThe Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle regulating the adoption, use or disclosure of government related identifiers by certain private sector entities (see APP 9).\nThere is no equivalent QPP for APP 9.\nsch 3 s 9 sub 2023 No. 32 s 74","sortOrder":283},{"sectionNumber":"sch.3-pt.4","sectionType":"part","heading":"Integrity of personal information","content":"# Integrity of personal information","sortOrder":284},{"sectionNumber":"sch.3-sec.10","sectionType":"section","heading":"QPP 10—quality of personal information","content":"### sch.3-sec.10 QPP 10—quality of personal information\n\nAn agency must take reasonable steps to ensure the personal information the agency collects is accurate, up to date and complete.\nAn agency must take reasonable steps to ensure the personal information the agency uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.\nsch 3 s 10 sub 2023 No. 32 s 74\n(sch.3-sec.10-ssec.10.1) An agency must take reasonable steps to ensure the personal information the agency collects is accurate, up to date and complete.\n(sch.3-sec.10-ssec.10.2) An agency must take reasonable steps to ensure the personal information the agency uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.","sortOrder":285},{"sectionNumber":"sch.3-sec.11","sectionType":"section","heading":"QPP 11—security of personal information","content":"### sch.3-sec.11 QPP 11—security of personal information\n\nIf an agency holds personal information, the agency must take reasonable steps to protect the information—\nfrom misuse, interference or loss; and\nfrom unauthorised access, modification or disclosure.\nIf—\nan agency holds personal information about an individual; and\nthe agency no longer needs the information for a purpose for which the information may be used or disclosed by the agency under the QPPs; and\nthe information is not contained in a public record; and\nthe agency is not required under an Australian law, or a court or tribunal order, to retain the information;\nthe agency must take reasonable steps to destroy the information or to ensure the information is de-identified.\nsch 3 s 11 amd 2017 No. 17 s 129\nsub 2023 No. 32 s 74\n(sch.3-sec.11-ssec.11.1) If an agency holds personal information, the agency must take reasonable steps to protect the information— from misuse, interference or loss; and from unauthorised access, modification or disclosure.\n(sch.3-sec.11-ssec.11.2) If— an agency holds personal information about an individual; and the agency no longer needs the information for a purpose for which the information may be used or disclosed by the agency under the QPPs; and the information is not contained in a public record; and the agency is not required under an Australian law, or a court or tribunal order, to retain the information; the agency must take reasonable steps to destroy the information or to ensure the information is de-identified.\n- (a) from misuse, interference or loss; and\n- (b) from unauthorised access, modification or disclosure.\n- (a) an agency holds personal information about an individual; and\n- (b) the agency no longer needs the information for a purpose for which the information may be used or disclosed by the agency under the QPPs; and\n- (c) the information is not contained in a public record; and\n- (d) the agency is not required under an Australian law, or a court or tribunal order, to retain the information;","sortOrder":286},{"sectionNumber":"sch.3-pt.5","sectionType":"part","heading":"Access to, and correction of, personal information","content":"# Access to, and correction of, personal information","sortOrder":287},{"sectionNumber":"sch.3-sec.12","sectionType":"section","heading":"QPP 12—access to personal information","content":"### sch.3-sec.12 QPP 12—access to personal information\n\nAccess\nIf an agency holds personal information about an individual, the agency must, on request by the individual, give the individual access to the information.\nException to access\nIf the agency is required or authorised to refuse to give the individual access to the personal information under—\nthe Right to Information Act ; or\nanother law in force in Queensland that provides for access by people to documents;\nthen, despite QPP 12.1, the agency is not required to give access to the extent the agency is required or authorised to refuse to give access.\nThe equivalent APP includes a provision applying to certain private sector entities (see APP 12.3).\nThe Privacy Act 1988 (Cwlth) , schedule 1 includes privacy principles about the procedures for requesting access to personal information, including requirements for dealing with requests for access, other means of access, access charges and refusals to give access (see APPs 12.4 to 12.10).\nThere are no equivalent QPPs for APPs 12.3 to 12.10.\nsch 3 s 12 ins 2023 No. 32 s 74\n(sch.3-sec.12-ssec) Access\n(sch.3-sec.12-ssec.12.1) If an agency holds personal information about an individual, the agency must, on request by the individual, give the individual access to the information.\n(sch.3-sec.12-ssec-oc.2) Exception to access\n(sch.3-sec.12-ssec.12.2) If the agency is required or authorised to refuse to give the individual access to the personal information under— the Right to Information Act ; or another law in force in Queensland that provides for access by people to documents; then, despite QPP 12.1, the agency is not required to give access to the extent the agency is required or authorised to refuse to give access. The equivalent APP includes a provision applying to certain private sector entities (see APP 12.3). The Privacy Act 1988 (Cwlth) , schedule 1 includes privacy principles about the procedures for requesting access to personal information, including requirements for dealing with requests for access, other means of access, access charges and refusals to give access (see APPs 12.4 to 12.10). There are no equivalent QPPs for APPs 12.3 to 12.10.\n- (a) the Right to Information Act ; or\n- (b) another law in force in Queensland that provides for access by people to documents;\n- 1 The equivalent APP includes a provision applying to certain private sector entities (see APP 12.3).\n- 2 The Privacy Act 1988 (Cwlth) , schedule 1 includes privacy principles about the procedures for requesting access to personal information, including requirements for dealing with requests for access, other means of access, access charges and refusals to give access (see APPs 12.4 to 12.10). There are no equivalent QPPs for APPs 12.3 to 12.10.","sortOrder":288},{"sectionNumber":"sch.3-sec.13","sectionType":"section","heading":"QPP 13—correction of personal information","content":"### sch.3-sec.13 QPP 13—correction of personal information\n\nCorrection\nIf—\nan agency holds personal information about an individual; and\neither—\nthe agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or\nthe individual requests the agency to correct the information;\nthe agency must take reasonable steps to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.\nThe Privacy Act 1988 (Cwlth) , schedule 1 includes privacy principles about requirements to notify other APP entities of corrections to personal information, and refusals to correct personal information (see APPs 13.2 and 13.3).\nThere are no equivalent QPPs for APPs 13.2 and 13.3.\nRequest to associate a statement\nIf—\nthe agency refuses to correct the personal information as requested by the individual; and\nthe individual requests the agency to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;\nthe agency must take reasonable steps to associate the statement in a way that will make the statement apparent to users of the information.\nThe Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle about dealing with requests to correct personal information (see APP 13.5).\nThere is no equivalent QPP for APP 13.5.\nAn agency need not comply with QPP 13.1 in relation to a request made to the agency to correct personal information if the agency is required or authorised to refuse to correct or amend the information under the Right to Information Act or another Act regulating the amendment of personal information.\nQPP 13.6 applies in relation to Queensland agencies and does not correspond to an APP.\nsch 3 s 13 ins 2023 No. 32 s 74\n(sch.3-sec.13-ssec) Correction\n(sch.3-sec.13-ssec.13.1) If— an agency holds personal information about an individual; and either— the agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or the individual requests the agency to correct the information; the agency must take reasonable steps to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading. The Privacy Act 1988 (Cwlth) , schedule 1 includes privacy principles about requirements to notify other APP entities of corrections to personal information, and refusals to correct personal information (see APPs 13.2 and 13.3). There are no equivalent QPPs for APPs 13.2 and 13.3.\n(sch.3-sec.13-ssec-oc.2) Request to associate a statement\n(sch.3-sec.13-ssec.13.4) If— the agency refuses to correct the personal information as requested by the individual; and the individual requests the agency to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading; the agency must take reasonable steps to associate the statement in a way that will make the statement apparent to users of the information. The Privacy Act 1988 (Cwlth) , schedule 1 includes a privacy principle about dealing with requests to correct personal information (see APP 13.5). There is no equivalent QPP for APP 13.5.\n(sch.3-sec.13-ssec.13.6) An agency need not comply with QPP 13.1 in relation to a request made to the agency to correct personal information if the agency is required or authorised to refuse to correct or amend the information under the Right to Information Act or another Act regulating the amendment of personal information. QPP 13.6 applies in relation to Queensland agencies and does not correspond to an APP.\n- (a) an agency holds personal information about an individual; and\n- (b) either— (i) the agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or (ii) the individual requests the agency to correct the information; the agency must take reasonable steps to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.\n- (i) the agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or\n- (ii) the individual requests the agency to correct the information;\n- (i) the agency is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or\n- (ii) the individual requests the agency to correct the information;\n- (a) the agency refuses to correct the personal information as requested by the individual; and\n- (b) the individual requests the agency to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;","sortOrder":289},{"sectionNumber":"sch.4-pt.1","sectionType":"part","heading":"Permitted general situations","content":"# Permitted general situations","sortOrder":290},{"sectionNumber":"sch.4-sec.1","sectionType":"section","heading":"Collection, use or disclosure","content":"### sch.4-sec.1 Collection, use or disclosure\n\nA permitted general situation exists in relation to the collection, use or disclosure by an agency of personal information about an individual if—\nboth of the following apply—\nit is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure;\nthe agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety; or\nboth of the following apply—\nthe agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the agency’s functions or activities has been, is being or may be engaged in;\nthe agency reasonably believes that the collection, use or disclosure is necessary in order for the agency to take appropriate action in relation to the matter; or\nboth of the following apply—\nthe agency reasonably believes that the collection, use or disclosure is reasonably necessary to assist an entity to locate a person who has been reported as missing;\nthe collection, use or disclosure complies with a guideline in effect under chapter 3 , part 2 ; or\nthe collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim; or\nthe collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.\nsch 4 s 1 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 )\nsub 2023 No. 32 s 74\n- (a) both of the following apply— (i) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; (ii) the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety; or\n- (i) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure;\n- (ii) the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety; or\n- (b) both of the following apply— (i) the agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the agency’s functions or activities has been, is being or may be engaged in; (ii) the agency reasonably believes that the collection, use or disclosure is necessary in order for the agency to take appropriate action in relation to the matter; or\n- (i) the agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the agency’s functions or activities has been, is being or may be engaged in;\n- (ii) the agency reasonably believes that the collection, use or disclosure is necessary in order for the agency to take appropriate action in relation to the matter; or\n- (c) both of the following apply— (i) the agency reasonably believes that the collection, use or disclosure is reasonably necessary to assist an entity to locate a person who has been reported as missing; (ii) the collection, use or disclosure complies with a guideline in effect under chapter 3 , part 2 ; or\n- (i) the agency reasonably believes that the collection, use or disclosure is reasonably necessary to assist an entity to locate a person who has been reported as missing;\n- (ii) the collection, use or disclosure complies with a guideline in effect under chapter 3 , part 2 ; or\n- (d) the collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim; or\n- (e) the collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.\n- (i) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure;\n- (ii) the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety; or\n- (i) the agency has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the agency’s functions or activities has been, is being or may be engaged in;\n- (ii) the agency reasonably believes that the collection, use or disclosure is necessary in order for the agency to take appropriate action in relation to the matter; or\n- (i) the agency reasonably believes that the collection, use or disclosure is reasonably necessary to assist an entity to locate a person who has been reported as missing;\n- (ii) the collection, use or disclosure complies with a guideline in effect under chapter 3 , part 2 ; or","sortOrder":291},{"sectionNumber":"sch.4-pt.2","sectionType":"part","heading":"Permitted health situations","content":"# Permitted health situations","sortOrder":292},{"sectionNumber":"sch.4-sec.2","sectionType":"section","heading":"Collection—provision of a health service","content":"### sch.4-sec.2 Collection—provision of a health service\n\nA permitted health situation exists in relation to the collection by a health agency of health information about an individual if—\nthe information is necessary to provide a health service to the individual; and\neither—\nthe collection is required or authorised under an Australian law; or\nthe individual would reasonably expect the health agency to collect the information for that purpose.\nAlso, a permitted health situation exists in relation to the collection by a health agency of health information about an individual if—\nthe information is a family medical history, social medical history or other relevant information about the individual or another individual; and\nit is necessary to collect the information about the individual for the purpose of providing the individual or another individual with a health service; and\nthe information about the individual is collected by the health agency from—\nthe person who is receiving or about to receive the health service; or\na responsible person for the individual.\nsch 4 s 2 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 )\nsub 2023 No. 32 s 74\n(sch.4-sec.2-ssec.1) A permitted health situation exists in relation to the collection by a health agency of health information about an individual if— the information is necessary to provide a health service to the individual; and either— the collection is required or authorised under an Australian law; or the individual would reasonably expect the health agency to collect the information for that purpose.\n(sch.4-sec.2-ssec.2) Also, a permitted health situation exists in relation to the collection by a health agency of health information about an individual if— the information is a family medical history, social medical history or other relevant information about the individual or another individual; and it is necessary to collect the information about the individual for the purpose of providing the individual or another individual with a health service; and the information about the individual is collected by the health agency from— the person who is receiving or about to receive the health service; or a responsible person for the individual.\n- (a) the information is necessary to provide a health service to the individual; and\n- (b) either— (i) the collection is required or authorised under an Australian law; or (ii) the individual would reasonably expect the health agency to collect the information for that purpose.\n- (i) the collection is required or authorised under an Australian law; or\n- (ii) the individual would reasonably expect the health agency to collect the information for that purpose.\n- (i) the collection is required or authorised under an Australian law; or\n- (ii) the individual would reasonably expect the health agency to collect the information for that purpose.\n- (a) the information is a family medical history, social medical history or other relevant information about the individual or another individual; and\n- (b) it is necessary to collect the information about the individual for the purpose of providing the individual or another individual with a health service; and\n- (c) the information about the individual is collected by the health agency from— (i) the person who is receiving or about to receive the health service; or (ii) a responsible person for the individual.\n- (i) the person who is receiving or about to receive the health service; or\n- (ii) a responsible person for the individual.\n- (i) the person who is receiving or about to receive the health service; or\n- (ii) a responsible person for the individual.","sortOrder":293},{"sectionNumber":"sch.4-sec.3","sectionType":"section","heading":"Collection—research etc.","content":"### sch.4-sec.3 Collection—research etc.\n\nA permitted health situation exists in relation to the collection by a health agency of health information about an individual if—\nthe collection is necessary for any of the following purposes—\nresearch relevant to public health or public safety;\nthe compilation or analysis of statistics relevant to public health or public safety;\nthe management, funding or monitoring of a health service; and\nthat purpose can not be served by the collection of information that does not identify the individual or from which the individual’s identity can not reasonably be ascertained; and\nit is impracticable for the health agency to seek the individual’s consent to the collection; and\nthe information is collected—\nas required or authorised under an Australian law; or\nby a designated person with the approval of the relevant chief executive; or\nin accordance with guidelines approved by the chief executive of the health department for this subparagraph.\nIn this section—\ndesignated person see the Hospital and Health Boards Act 2011 , section 139A .\nrelevant chief executive , of a health agency, means—\nif the health agency is a Hospital and Health Service—the health service chief executive or the chief executive of the health department; or\notherwise—the chief executive of the health department.\nsch 4 s 3 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 )\nsub 2023 No. 32 s 74\n(sch.4-sec.3-ssec.1) A permitted health situation exists in relation to the collection by a health agency of health information about an individual if— the collection is necessary for any of the following purposes— research relevant to public health or public safety; the compilation or analysis of statistics relevant to public health or public safety; the management, funding or monitoring of a health service; and that purpose can not be served by the collection of information that does not identify the individual or from which the individual’s identity can not reasonably be ascertained; and it is impracticable for the health agency to seek the individual’s consent to the collection; and the information is collected— as required or authorised under an Australian law; or by a designated person with the approval of the relevant chief executive; or in accordance with guidelines approved by the chief executive of the health department for this subparagraph.\n(sch.4-sec.3-ssec.2) In this section— designated person see the Hospital and Health Boards Act 2011 , section 139A . relevant chief executive , of a health agency, means— if the health agency is a Hospital and Health Service—the health service chief executive or the chief executive of the health department; or otherwise—the chief executive of the health department.\n- (a) the collection is necessary for any of the following purposes— (i) research relevant to public health or public safety; (ii) the compilation or analysis of statistics relevant to public health or public safety; (iii) the management, funding or monitoring of a health service; and\n- (i) research relevant to public health or public safety;\n- (ii) the compilation or analysis of statistics relevant to public health or public safety;\n- (iii) the management, funding or monitoring of a health service; and\n- (b) that purpose can not be served by the collection of information that does not identify the individual or from which the individual’s identity can not reasonably be ascertained; and\n- (c) it is impracticable for the health agency to seek the individual’s consent to the collection; and\n- (d) the information is collected— (i) as required or authorised under an Australian law; or (ii) by a designated person with the approval of the relevant chief executive; or (iii) in accordance with guidelines approved by the chief executive of the health department for this subparagraph.\n- (i) as required or authorised under an Australian law; or\n- (ii) by a designated person with the approval of the relevant chief executive; or\n- (iii) in accordance with guidelines approved by the chief executive of the health department for this subparagraph.\n- (i) research relevant to public health or public safety;\n- (ii) the compilation or analysis of statistics relevant to public health or public safety;\n- (iii) the management, funding or monitoring of a health service; and\n- (i) as required or authorised under an Australian law; or\n- (ii) by a designated person with the approval of the relevant chief executive; or\n- (iii) in accordance with guidelines approved by the chief executive of the health department for this subparagraph.\n- (a) if the health agency is a Hospital and Health Service—the health service chief executive or the chief executive of the health department; or\n- (b) otherwise—the chief executive of the health department.","sortOrder":294},{"sectionNumber":"sch.4-sec.4","sectionType":"section","heading":"Use or disclosure—research etc.","content":"### sch.4-sec.4 Use or disclosure—research etc.\n\nA permitted health situation exists in relation to the use or disclosure by a health agency of health information about an individual if—\nthe use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and\nit is impracticable for the health agency to obtain the individual’s consent before the use or disclosure; and\nthe use or disclosure is conducted in accordance with guidelines approved by the chief executive of the health department for this paragraph; and\nfor disclosure—the health agency reasonably believes the entity receiving the health information will not disclose the health information or personal information derived from the health information.\nsch 4 s 4 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 ); 2023 No. 33 s 107 sch 5\nsub 2023 No. 32 s 74\n- (a) the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and\n- (b) it is impracticable for the health agency to obtain the individual’s consent before the use or disclosure; and\n- (c) the use or disclosure is conducted in accordance with guidelines approved by the chief executive of the health department for this paragraph; and\n- (d) for disclosure—the health agency reasonably believes the entity receiving the health information will not disclose the health information or personal information derived from the health information.","sortOrder":295},{"sectionNumber":"sch.4-sec.5","sectionType":"section","heading":"Disclosure—responsible person for an individual","content":"### sch.4-sec.5 Disclosure—responsible person for an individual\n\nA permitted health situation exists in relation to the disclosure by a health agency of health information about an individual if—\nthe health agency provides a health service to the individual; and\nthe recipient of the information is a responsible person for the individual; and\nthe individual is—\nphysically or legally incapable of giving consent to the disclosure; or\nphysically can not communicate consent to the disclosure; and\na health professional providing the health service for the organisation is satisfied—\nthe disclosure is necessary to provide appropriate care or treatment of the individual; or\nthe disclosure is made for compassionate reasons; and\nthe disclosure is not contrary to any wish—\nexpressed by the individual before the individual became unable to give or communicate consent; and\nof which the health professional is aware, or of which the health professional could reasonably be expected to be aware; and\nthe disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (d) .\nsch 4 s 5 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 )\nsub 2023 No. 32 s 74\n- (a) the health agency provides a health service to the individual; and\n- (b) the recipient of the information is a responsible person for the individual; and\n- (c) the individual is— (i) physically or legally incapable of giving consent to the disclosure; or (ii) physically can not communicate consent to the disclosure; and\n- (i) physically or legally incapable of giving consent to the disclosure; or\n- (ii) physically can not communicate consent to the disclosure; and\n- (d) a health professional providing the health service for the organisation is satisfied— (i) the disclosure is necessary to provide appropriate care or treatment of the individual; or (ii) the disclosure is made for compassionate reasons; and\n- (i) the disclosure is necessary to provide appropriate care or treatment of the individual; or\n- (ii) the disclosure is made for compassionate reasons; and\n- (e) the disclosure is not contrary to any wish— (i) expressed by the individual before the individual became unable to give or communicate consent; and (ii) of which the health professional is aware, or of which the health professional could reasonably be expected to be aware; and\n- (i) expressed by the individual before the individual became unable to give or communicate consent; and\n- (ii) of which the health professional is aware, or of which the health professional could reasonably be expected to be aware; and\n- (f) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (d) .\n- (i) physically or legally incapable of giving consent to the disclosure; or\n- (ii) physically can not communicate consent to the disclosure; and\n- (i) the disclosure is necessary to provide appropriate care or treatment of the individual; or\n- (ii) the disclosure is made for compassionate reasons; and\n- (i) expressed by the individual before the individual became unable to give or communicate consent; and\n- (ii) of which the health professional is aware, or of which the health professional could reasonably be expected to be aware; and","sortOrder":296},{"sectionNumber":"sch.4-sec.6","sectionType":"section","heading":null,"content":"### Section sch.4-sec.6\n\nsch 4 s 6 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 )\nom 2023 No. 32 s 74","sortOrder":297},{"sectionNumber":"sch.4-sec.7","sectionType":"section","heading":null,"content":"### Section sch.4-sec.7\n\nsch 4 s 7 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 )\nom 2023 No. 32 s 74","sortOrder":298},{"sectionNumber":"sch.4-sec.8","sectionType":"section","heading":null,"content":"### Section sch.4-sec.8\n\nsch 4 s 8 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 )\nom 2023 No. 32 s 74","sortOrder":299},{"sectionNumber":"sch.4-sec.9","sectionType":"section","heading":null,"content":"### Section sch.4-sec.9\n\nsch 4 s 9 amd 2011 No. 32 s 332 s ch 1 pt 2 (amd 2012 No. 9 s 47 )\nom 2023 No. 32 s 74","sortOrder":300}],"analysis":{"flash_summary":{"complexity_score":9,"scope_assessment":{"changed":true,"description":"The original Act focused on providing individuals with rights to access and amend their personal information held by agencies, along with privacy principles. The 2023 amendments (Information Privacy and Other Legislation Amendment Act 2023) significantly shifted scope: they removed the entire chapter on access and amendment (former chapter 3) and replaced it with a new mandatory data breach notification scheme (chapter 3A), along with substantially rewritten Queensland Privacy Principles (QPPs) that now include new obligations for transparency, anonymity, and managing unsolicited information. The amendments also extended the Act's application to contracted service providers in a more detailed way and added new enforcement powers for the Information Commissioner. This represents a major change from a rights-based access model to a broader compliance and breach-notification framework."},"complexity_factors":["Very long Act with over 200 sections plus extensive schedules","47 defined terms in schedule 5 (dictionary)","Heavy cross-referencing within the Act and to other legislation (e.g., Right to Information Act, QCAT Act, Criminal Code)","Multiple layers of exceptions and conditional logic in QPPs and data breach provisions","Nested exceptions in QPP 6 (use/disclosure) and QPP 3 (sensitive information)","Complex data breach assessment and notification requirements with multiple exemptions (e.g., investigations, remedial action, cybersecurity)","Transitional provisions for 2023 amendments adding further complexity","Interplay between QPPs and separate codes of practice (QPP codes)","Schedules containing detailed principles, permitted situations, and lists of excluded entities"],"plain_english_summary":"This law sets out rules for how Queensland government agencies (ministers, departments, local councils, and public authorities) must handle people's personal information. It covers everything from collecting and storing information to using and sharing it. The law requires agencies to be open about how they manage personal information, give individuals the choice to remain anonymous in many situations, and only collect information that is reasonably necessary for their work. If an agency suffers a serious data breach (e.g., unauthorised access that could cause harm), it must quickly investigate, notify affected individuals, and report to the Information Commissioner. The law also creates a complaints process where individuals can complain about privacy breaches, which can lead to mediation or a hearing by the Queensland Civil and Administrative Tribunal (QCAT), which can order remedies like compensation up to $100,000. The Information Commissioner oversees compliance, can issue guidelines and compliance notices, and may conduct audits and investigations. Importantly, the law does not give individuals a general right to sue for privacy breaches—enforcement is through the commissioner and QCAT."},"issue_detection":{"absurdities":[{"type":"circular_definition","section":"sec.15","severity":"high","reasoning":"Section 15 states a 'document' does not include a document to which privacy principle requirements do not apply. Section 16 then defines 'document to which the privacy principle requirements do not apply' as a document in schedule 1. This means 'document' is defined as 'any document except the ones in schedule 1' without ever positively defining what a document actually is. The entire definitional scheme relies on the ordinary meaning of 'document' while purporting to define it, creating a hollowed-out definition that adds no legal content beyond the exclusion.","confidence":0.82,"description":"Circular definition: 'document' is defined by excluding documents to which privacy principle requirements do not apply, and that exclusion is itself defined by reference to schedule 1. The definition of 'document' is thus meaningful only by reference to what it excludes, meaning the positive content of 'document' is never stated — it is defined entirely by negation."},{"type":"other","section":"sec.13","severity":"medium","reasoning":"The interaction of sec.13 (holding requires containment in a 'document') and sec.15 (document excludes schedule 1 documents) creates a structural gap: personal information in excluded documents is, by definition, not 'held' by an agency and therefore outside the Act's protections, even though sec.6 purports to apply the Act to personal information regardless of when it was collected.","confidence":0.78,"description":"The definition of 'holds' or 'held' in relation to personal information requires the information to be 'contained in a document.' Combined with sec.15's definition of 'document' (which excludes documents to which privacy principle requirements do not apply), an agency can never 'hold' personal information that is in an excluded document. This means the privacy obligations triggered by 'holding' information can be avoided simply by storing information in a category of excluded document."},{"type":"self_contradicting","section":"sec.48","severity":"medium","reasoning":"Section 48(1) triggers on an agency that 'knows, or reasonably suspects' the breach is eligible. Section 48(2)(b) then only requires an assessment 'if the agency does not know whether the data breach is an eligible data breach.' However the section applies equally to agencies that do know (sec.48(1) includes knowing), meaning an agency that already knows is subjected to both the assessment obligation (which is then carved out by sec.48(2)(b)) and the containment obligation — the drafting is inconsistent because the section applies to 'knows' but then constructs an obligation premised on not knowing.","confidence":0.71,"description":"Impossible simultaneous obligation: sec.48(2)(a) requires an agency to 'immediately, and continue to, take all reasonable steps to contain the data breach and mitigate the harm.' The word 'immediately' is logically incompatible with the qualifier 'and continue to' — one cannot both act instantaneously and continue an ongoing process. More significantly, an agency that 'knows' there is an eligible data breach (sec.48(1)) is still required under sec.48(2)(b) to assess 'whether there are reasonable grounds to believe the data breach is an eligible data breach' — an assessment that is logically redundant if the agency already knows."},{"type":"circular_definition","section":"sec.57","severity":"medium","reasoning":"Section 47 defines an eligible data breach as one 'likely to result in serious harm.' Section 57 provides an exemption from notification for an eligible data breach where remedial action has been taken so the breach is 'no longer likely to result in serious harm.' If the serious harm likelihood has been eliminated, the triggering condition of sec.50 (agency 'reasonably believes that there has been an eligible data breach') may no longer be satisfied, making the notification obligations under division 2 inapplicable in the first place. The exemption thus exempts from an obligation that may not exist.","confidence":0.68,"description":"The exemption from notification in sec.57 applies when an agency has taken remedial action that prevents serious harm. However, sec.57(1) refers to 'an eligible data breach' — a breach that by definition under sec.47 is one likely to result in serious harm. If remedial action has been taken such that the breach is 'no longer likely to result in serious harm to any individual,' the breach may arguably no longer meet the definition of an eligible data breach at all, making the exemption logically superfluous — there would be nothing to be exempt from."},{"type":"other","section":"sec.36","severity":"low","reasoning":"The provision creates a situation where compliance with post-termination data return obligations eliminates the subject matter of the ongoing QPP obligation, while non-compliance with return obligations (i.e., continuing to hold the data) is what triggers the ongoing QPP obligation. The section inadvertently incentivises retention of data beyond the arrangement's end.","confidence":0.55,"description":"Section 36(2) provides that obligations on a bound contracted service provider continue after the service arrangement ends 'in relation to personal information it continues to hold.' However, if the service arrangement has ended, there is typically a requirement to return or destroy the personal information. If the provider retains and holds the information post-termination, they may be in breach of the arrangement; yet sec.36(2) implicitly contemplates ongoing holding, creating a tension between contractual obligations to return information and statutory obligations that only apply if information is retained."},{"type":"other","section":"sec.28","severity":"medium","reasoning":"The exemption in sec.28 applies to information 'related to or connected with' information the individual published. This connection can be remote. The exemption effectively strips individuals of access and correction rights (QPP 6) in relation to government-held files simply because they shared some related information publicly, creating an absurd outcome where self-disclosure reduces rather than preserves privacy rights.","confidence":0.65,"description":"Section 28 exempts agencies from complying with QPP 6 or 10.2 where an individual has previously published their own personal information. However, QPP 6 relates to access to and correction of personal information held by an agency — an individual's right to access their own data. Exempting an agency from this obligation merely because the individual published some related information is disproportionate and potentially removes an individual's right to access their own file held by government on the basis of prior self-publication, which undermines the Act's primary object."},{"type":"self_contradicting","section":"sec.12","severity":"medium","reasoning":"Sec.12 expressly includes information not recorded in material form. Sec.13 conditions 'holding' on containment in a document. Many of the Act's obligations depend on an agency 'holding' information. Oral knowledge of personal information, which is personal information under sec.12, is never 'held' under sec.13, creating a class of personal information that is definitionally within the Act but practically outside all its obligations.","confidence":0.75,"description":"Personal information is defined to include information that is not recorded in a material form. Combined with sec.13, which requires information to be 'contained in a document' for an agency to 'hold' it, and sec.15 which defines 'document' in a limited way, unrecorded personal information falls within the definition of 'personal information' under sec.12 but can never be 'held' under sec.13 (since it is not in a document). The Act therefore contemplates regulating personal information that can never be 'held' by any agency, creating obligations with no practical subject matter."},{"type":"other","section":"sec.54","severity":"low","reasoning":"While practically necessary, the exemption from QPPs for inter-agency sharing of personal information for breach notification purposes means that agencies may share sensitive personal information (name, contact details, date of birth, identifiers, date of death) without the privacy safeguards that would normally apply. The Act creates a privacy-free zone in the process of addressing privacy failures.","confidence":0.6,"description":"Section 54(4) exempts disclosing and receiving agencies from complying with QPPs in relation to sharing of personal information for data breach notification purposes. This creates the anomaly that the mechanism for notifying individuals of privacy breaches is itself exempt from privacy obligations — the cure operates outside the very protections the Act establishes."}],"contradictions":[{"severity":"medium","section_a":"sec.6","section_b":"sec.7","confidence":0.72,"description":"Section 6 states the Act applies to collection, storage, handling, etc. of personal information regardless of when collected, suggesting broad and paramount application. Section 7 states the Act is 'intended to operate subject to the provisions of other Acts' regulating the same activities, meaning other Acts take precedence. These two provisions pull in opposite directions: sec.6 asserts universal application, sec.7 subordinates the Act to other legislation."},{"severity":"medium","section_a":"sec.3","section_b":"sec.29","confidence":0.65,"description":"Section 3 states the Act's primary object is to provide for 'fair collection and handling' of personal information and requires the Act to be 'applied and interpreted to further' that object. Section 29 allows law enforcement agencies to depart from QPPs 3.6, 5, 6 and 10.1 — which include core fairness, transparency and access principles — on the agency's own satisfaction that non-compliance is necessary. Allowing self-assessed exemptions from fundamental principles conflicts with the interpretive mandate to always further fair collection and handling."},{"severity":"low","section_a":"sec.27","section_b":"sec.38","confidence":0.6,"description":"Section 27 imposes a blanket obligation on agencies to comply with all QPPs. Section 38 carves out a specific exemption, providing agencies do not contravene QPP requirements merely by providing personal information to a Minister about matters relevant to their portfolio. However, section 20 already limits how the Act applies to Ministers. Section 38 creates an additional, broader carve-out for agencies giving information to Ministers, potentially allowing significant information flows that would otherwise breach QPPs, in tension with the unconditional compliance obligation in sec.27."},{"severity":"medium","section_a":"sec.35","section_b":"sec.37","confidence":0.7,"description":"Section 35(1) requires an agency to take 'all reasonable steps' to bind contracted service providers to privacy requirements. Section 37 provides that if an agency fails to do so, the obligations attach to the contracting agency instead. This creates a perverse incentive: an agency that deliberately fails to bind a service provider simply absorbs the obligations itself, with no additional penalty or consequence for the failure. The compliance mechanism in sec.35 is undermined by the fallback in sec.37 which makes non-compliance costless."},{"severity":"medium","section_a":"sec.47","section_b":"sec.57","confidence":0.75,"description":"Section 47 defines an eligible data breach as one 'likely to result in serious harm.' Section 57 applies to 'an eligible data breach' where remedial action has been taken such that the breach is 'no longer likely to result in serious harm.' These provisions contradict each other: sec.57 applies to something (an eligible data breach) whose defining characteristic (likelihood of serious harm) has been eliminated by the very conduct sec.57 is describing. The breach simultaneously is and is not an eligible data breach."},{"severity":"low","section_a":"sec.48(ssec.1)","section_b":"sec.48(ssec.2)(b)","confidence":0.62,"description":"Section 48(1) applies to agencies that 'know, or reasonably suspect' a data breach is eligible. Section 48(2)(b) then requires assessment of whether there are reasonable grounds to believe it is eligible only 'if the agency does not know.' The section therefore applies to agencies that know but then constructs a key obligation (assessment) that only applies to those who do not know. An agency that 'knows' is bound by sec.48(1) but has no assessment obligation under sec.48(2)(b), yet has containment obligations. The drafting conflates the triggering condition with the operative obligations inconsistently."},{"severity":"low","section_a":"sec.53(ssec.1)(c)","section_b":"sec.55","confidence":0.55,"description":"Section 53(1)(c) requires publication on an agency website for at least 12 months when individual notification is not practicable, but carves out 'information that would prejudice the agency's functions.' Section 55 separately exempts agencies from division 2 notification obligations where compliance would prejudice an investigation or proceedings. These provisions overlap but are not coextensive: sec.53(1)(c) allows selective omission of prejudicial content while still requiring publication; sec.55 allows complete exemption. An agency could rely on either provision with different outcomes for the same facts, creating inconsistent application."}]},"summary":{"name":"Information Privacy Act 2009","slug":"information-privacy-act-2009","title_id":"qld:act-2009-014","version_id":29914,"analysis_type":"summary","content_quality":"ok","complexity_score":3,"scope_assessment":{"changed":false,"description":"Complete in-force Queensland statute of 353,589 characters covering the full information privacy framework for the Queensland public sector."},"complexity_factors":["13 QPPs covering the full lifecycle of personal information","Mandatory data breach notification regime in Chapter 3A","Contracted service provider binding regime","Complaint, investigation and QCAT enforcement pathway","Interaction with Commonwealth Privacy Act framework (parallel concepts)"],"plain_english_summary":"The Information Privacy Act 2009 (Qld) is the primary statute governing how Queensland Government agencies collect, hold, use and disclose personal information. Its primary object under s 3 is to provide for the fair collection and handling of personal information in the public sector environment.\n\nThe Act requires Queensland public sector agencies, and their contracted service providers, to comply with 13 Queensland Privacy Principles (QPPs) set out in Schedule 3. The QPPs cover: transparent management of personal information (QPP 1); anonymity and pseudonymity options (QPP 2); collection of solicited personal information (QPP 3); unsolicited personal information (QPP 4); notification of collection (QPP 5); use or disclosure (QPP 6); direct marketing (QPP 7); cross-border disclosure (QPP 8); government identifiers (QPP 9); quality (QPP 10); security (QPP 11); access by individuals to their own information (QPP 12); and correction (QPP 13).\n\nContracted service providers performing government functions under a contract with an agency are bound by relevant QPPs as if they were agencies under Chapter 2, Part 3.\n\nChapter 3A (inserted following Commonwealth data breach notification reforms) creates a mandatory data breach notification regime. Agencies must assess suspected eligible data breaches under Chapter 3A, Part 2, notify individuals and the Information Commissioner of eligible data breaches under Part 3, and cooperate with the Information Commissioner's oversight role under Part 4.\n\nThe Information Commissioner (Queensland) receives and investigates privacy complaints under the complaint and investigation framework. Individuals who believe an agency has interfered with their privacy may complain to the Information Commissioner, who may investigate and conciliate or refer the matter for hearing before the Queensland Civil and Administrative Tribunal.\n\nQPP codes may be approved under Chapter 3, Part 1, allowing agencies or sectors to adopt modified privacy rules binding on their members. The Act operates subject to other Acts that regulate personal information (s 7), meaning more specific privacy or secrecy laws prevail over the QPPs in cases of conflict."},"kimi_summary":{"_metrics":{"completionTokens":627},"content_quality":"ok","complexity_score":7,"scope_assessment":{"changed":true,"description":"The legislation has expanded significantly from its original 2009 scope. The 2023 amendments (No. 32) introduced an entirely new Chapter 3A with comprehensive data breach notification obligations, added new complaint handling procedures with mandatory internal complaint periods, created new powers for authorised officers to enter agency premises, and established information-sharing arrangements with cybersecurity agencies. The original Act focused primarily on the QPPs and complaints; the current version adds proactive breach management, investigation powers, and broader commissioner functions."},"complexity_factors":["Multiple nested definitions (e.g., 'personal information' → 'document' → 'document to which privacy principle requirements do not apply' → Schedule 1)","Cross-referencing between QPPs, schedules, and chapters (e.g., QPP 6.2 references Schedule 4 permitted situations)","Conditional exemptions with layered requirements (e.g., data breach exemptions in ss 55-60 each have distinct triggering conditions)","Dual-track compliance: QPPs for general handling PLUS Chapter 3A specific obligations for data breaches","Extensive transitional provisions preserving pre-2023 amendment rights and processes","Contracted service provider provisions create parallel obligations through 'service arrangements'","Multiple enforcement pathways: compliance notices, tribunal review, criminal offences, and civil liability protections"],"plain_english_summary":"This is Queensland's **Information Privacy Act 2009**, which sets out how Queensland government agencies must handle your personal information. Think of it as the rulebook for the public sector's use of data about identifiable individuals.\n\n**What it does:**\n- Establishes **11 Queensland Privacy Principles (QPPs)** that agencies must follow when collecting, using, storing, disclosing, and securing personal information\n- Creates a **data breach notification scheme** (Chapter 3A) requiring agencies to assess suspected breaches, notify affected individuals, and report to the Information Commissioner when serious harm is likely\n- Sets up the **Information Commissioner** and **Privacy Commissioner** as independent watchdogs with powers to investigate complaints, issue compliance notices, and conduct audits\n- Provides a **complaints pathway** where individuals can seek redress for privacy breaches, including mediation and tribunal hearings\n\n**Who it covers:**\n- **Agencies**: Ministers, government departments, local councils, and public authorities (with some exclusions)\n- **Contracted service providers**: Private companies doing government work must comply as if they were the agency itself\n- **Law enforcement agencies**: Get limited exemptions for operational reasons\n\n**Key protections for individuals:**\n- Right to know what information is held and why\n- Right to access and correct your personal information\n- Right to complain about mishandling\n- Agencies must notify you if your data is breached in a way likely to cause serious harm\n\n**Why it matters:** It gives Queenslanders enforceable rights over their personal information held by government, with real consequences for agencies that don't comply—including fines and tribunal orders."}},"importantCases":[],"_links":{"self":"/api/acts/information-privacy-act-2009","history":"/api/acts/information-privacy-act-2009/history","analysis":"/api/acts/information-privacy-act-2009/analysis","conflicts":"/api/acts/information-privacy-act-2009/conflicts","importantCases":"/api/acts/information-privacy-act-2009/important-cases","documents":"/api/acts/information-privacy-act-2009/documents"}}