sec.135Performance monitoring, investigation and support functions

### sec.135 Performance monitoring, investigation and support functions The functions of the information commissioner include— on the commissioner’s own initiative or otherwise— conducting— reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and leading the improvement of public sector privacy administration in Queensland by taking appropriate action to— promote understanding of and compliance with this Act; and provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and monitor and audit relevant entities’ compliance with this Act; and initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and comment on any issues relating to the administration of privacy in the public sector environment; and without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and prepare, or assist in the preparation of, QPP codes; and assist relevant entities in complying with obligations under QPP codes; and prepare guidelines for permitted general situations under chapter 3 , part 2 ; and issuing guidelines under section 138 ; and supporting complainants for privacy complaints, and all relevant entities to the extent they are subject to the operation of this Act; and if the commissioner considers it appropriate, reporting to the Speaker on the findings of a reportable matter, including reporting any recommendations to the relevant entity the subject of the reportable matter. In this section— reportable matter means— a review or investigation under subsection (1) (a) ; or an audit under subsection (1) (b) (iii) . s 135 amd 2017 No. 17 s 127 ; 2023 No. 32 s 35 (sec.135-ssec.1) The functions of the information commissioner include— on the commissioner’s own initiative or otherwise— conducting— reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and leading the improvement of public sector privacy administration in Queensland by taking appropriate action to— promote understanding of and compliance with this Act; and provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and monitor and audit relevant entities’ compliance with this Act; and initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and comment on any issues relating to the administration of privacy in the public sector environment; and without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and prepare, or assist in the preparation of, QPP codes; and assist relevant entities in complying with obligations under QPP codes; and prepare guidelines for permitted general situations under chapter 3 , part 2 ; and issuing guidelines under section 138 ; and supporting complainants for privacy complaints, and all relevant entities to the extent they are subject to the operation of this Act; and if the commissioner considers it appropriate, reporting to the Speaker on the findings of a reportable matter, including reporting any recommendations to the relevant entity the subject of the reportable matter. (sec.135-ssec.2) In this section— reportable matter means— a review or investigation under subsection (1) (a) ; or an audit under subsection (1) (b) (iii) . - (a) on the commissioner’s own initiative or otherwise— (i) conducting— (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and (ii) investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and - (i) conducting— (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and - (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or - (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and - (ii) investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and - (b) leading the improvement of public sector privacy administration in Queensland by taking appropriate action to— (i) promote understanding of and compliance with this Act; and (ii) provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and (iii) monitor and audit relevant entities’ compliance with this Act; and (iv) initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and (v) comment on any issues relating to the administration of privacy in the public sector environment; and (vi) without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and (vii) prepare, or assist in the preparation of, QPP codes; and (viii) assist relevant entities in complying with obligations under QPP codes; and (ix) prepare guidelines for permitted general situations under chapter 3 , part 2 ; and - (i) promote understanding of and compliance with this Act; and - (ii) provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and - (iii) monitor and audit relevant entities’ compliance with this Act; and - (iv) initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and - (v) comment on any issues relating to the administration of privacy in the public sector environment; and - (vi) without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and - (vii) prepare, or assist in the preparation of, QPP codes; and - (viii) assist relevant entities in complying with obligations under QPP codes; and - (ix) prepare guidelines for permitted general situations under chapter 3 , part 2 ; and - (c) issuing guidelines under section 138 ; and - (d) supporting complainants for privacy complaints, and all relevant entities to the extent they are subject to the operation of this Act; and - (e) if the commissioner considers it appropriate, reporting to the Speaker on the findings of a reportable matter, including reporting any recommendations to the relevant entity the subject of the reportable matter. - (i) conducting— (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and - (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or - (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and - (ii) investigating an act done or practice engaged in by a relevant entity in relation to personal information, if the commissioner is satisfied on reasonable grounds that the act or practice may contravene the privacy principle requirements or, if the entity is an agency, the entity’s obligations under chapter 3A ; and - (A) reviews of personal information handling practices of relevant entities, including technologies, programs, policies and procedures, to identify privacy related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; or - (B) reviews of acts or practices of agencies in relation to compliance with chapter 3A , including data handling systems and practices, to identify data breach related issues of a systemic nature generally or to identify particular grounds for the issue of compliance notices; and - (i) promote understanding of and compliance with this Act; and - (ii) provide best practice leadership and advice, including by providing advice and assistance to relevant entities on the interpretation and administration of this Act; and - (iii) monitor and audit relevant entities’ compliance with this Act; and - (iv) initiate privacy education and training, including education and training programs targeted at particular aspects of privacy administration, and education and training programs to promote greater awareness of the operation of this Act in the community and within the public sector environment; and - (v) comment on any issues relating to the administration of privacy in the public sector environment; and - (vi) without limiting subparagraph (v) , identify and comment on legislative and administrative changes that would improve the administration of this Act; and - (vii) prepare, or assist in the preparation of, QPP codes; and - (viii) assist relevant entities in complying with obligations under QPP codes; and - (ix) prepare guidelines for permitted general situations under chapter 3 , part 2 ; and - (a) a review or investigation under subsection (1) (a) ; or - (b) an audit under subsection (1) (b) (iii) .