Access keys | Skip to primary navigation | Skip to secondary navigation | Skip to content | Skip to footer |

• Strategies
  • Smart Directions Statement (PDF, 580kb)
  • State Owned Telecommunications Infrastructure (SOTI)
  • Rationalisation of Agency Data Network
  • Whole-of-Government Desktop Strategy
  • Queensland Telecommunications Strategic Framework
• Standards
  • Government Enterprise Architecture
  • Government Information Architecture
  • Information Standards
• Whole-of-Government contracts
  • Adobe Systems Incorporated Volume Licensing Arrangement (CLP)
  • Contracts managed by Shared Service Solutions
  • Microsoft Products and Services
  • Mobile Panel Arrangement
  • SmartAccess Panel Arrangement
  • SmartNet Panel Arrangement
  • State Government Copyright Agreements
• Industry information
  • Smart Directions Focus Area 5
  • Industry update forums
  • Guidelines for ICT Industry Presentations
• Projects
  • Queensland Government ICT Career-Graduate Program
  • Queensland Government Authentication Framework
  • Consolidation of Agency Data Networks
  • Household Survey - Computer & Internet usage
  • Ignite - innovation in the Queensland Government
• Funding
  • Whole-of-Government ICT Project Funding Program
• Smart Directions
  • Strategic Information and ICT Board
  • Strategic Information and ICT CEO Committee
  • Program management office

Information Standards

• Authority & implementation
• Current Information Standards
• Development & management of standards
• Toolbox
• Standards under development
• Repealed & archived standards
• Glossary of terms
• Key contacts

Information Privacy (IS42)

Purpose

This Information Standard outlines the requirements for Queensland Government agencies to responsibly collect, store, use and disclose personal information in the Queensland Government public sector. This information Standard must be read and implemented in-conjunction with the Queensland Government Information Privacy Principles (link to be developed) and the Information Privacy Guidelines (link to be developed).

Information Privacy (IS42) fits within the Information Management domain of the Government Information Architecture (GIA) Reference Framework.

This information standard excludes the following forms of personal information:

Covert activity

• Personal information about an individual arising out of or in connection with a controlled operation or controlled activity within the meaning of the Police Powers and Responsibilities Act 2000;
• Personal information about an individual arising out of or in connection with a covert undertaking of an operation, investigation or function of a law enforcement agency;
• Personal information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth.

Witness protection

• Personal information about a witness who is included in a witness protection program under the Witness Protection Act 2000 or who is subject to other witness protection arrangements made under an Act.

Disciplinary actions and misconduct

• Personal information about an individual arising out of a complaint made under Part 7 of the Police Service Administration Act 1990;
• Personal information about an individual arising out of an investigation of misconduct or official misconduct under the Crime and Misconduct Act 2001 and the Coroners Act 2003.

Whistleblowers

• Personal information about an individual that is contained in a public interest disclosure within the meaning of the Whistleblowers Protection Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure.

Cabinet and Executive Council documents

• Personal information about an individual that is contained in a document of a kind referred to in sections 36 and 37 of the Freedom of Information Act 1992 (ie Cabinet and Executive Council documents).

Commissions of Inquiry

• Personal information about an individual arising out of a Royal Commission or commission or inquiry.

Policy statement

Personal information held by Queensland agencies must be responsibly and transparently collected and managed (including any transfer or sale of personal information held by agencies to other agencies, other levels of Government or the private sector) in accordance with the requirements of the Queensland Government Information Privacy Principles (IPPs) (link to be developed).

The government’s privacy scheme is designed to increase public confidence in the security of information held by Queensland Government agencies. It is essential that information in the possession of the Queensland Government is appropriately disclosed and that it is adequately protected and used for the purposes for which it was provided and/or intended, except when required by law.

Personal information is to be managed in accordance with the Information Privacy Principles (IPPs) (link to be developed) adapted from the public sector IPPs contained in the Commonwealth Government Privacy Act 1988, and all other relevant legislative or statutory obligations under which an agency operates.

Information Standard 42 is administratively based. Where conflicting requirements exist any legislative requirements will supercede compliance with this Information Standard. Implementation is subject to any existing outsourcing arrangements, contracts and licenses. Any future outsourcing arrangement, contracts and licenses must conform to the provisions of this Information Standard.

Issue & review

This standard is currently under Review for Comment.

Authority

The authority for the implementation of the mandatory principles of Information Standards is primarily derived from Sections 22 and 56 of the Financial Management Standard 1997 (FMS). The FMS is subordinate legislation to the Financial Administration and Audit Act 1977 (FAAA). As such, Information Standards apply to accountable officers and statutory bodies operating under the sections of this legislation.

This Information Standard will also apply to any statutory Government Owned Corporation (GOC) and its subsidiaries where the shareholding minister has given notification pursuant to s. 123 of the Government Owned Corporations Act 1993.

The mandatory principles and the Queensland Government IPP’s were approved by Cabinet in September 2001. This cabinet decision endorsed that:

• Information Standard 42 covers the transfer or sale of personal information held by agencies to other agencies, other levels of Government and the private sector in accordance with the requirements of the Information Privacy Principles (IPPs) in the Commonwealth Privacy Act 1988.
• The Department of Justice and Attorney-General (JAG) have lead agency responsibility for the privacy framework, including the provision of ongoing guidance and support for agencies.
• Responsibility for resolution of any complaints of breaches of privacy rests with chief executives of public sector entities in keeping with agency level responsibilities addressing complaints associated with breaches of a code of conduct.

Implementation

The following bodies are exempt from Information Standard 42:

• Royal commissions or commissions of inquiry;
• Patents and Citizens Associations as defined in Part 6 of the Education (General Provisions) Act 1989.
• Queensland Department of Health (Note: Queensland Health is bound by IS42A. Statutory bodies) within the meaning of the Financial Administration and Audit Act 1977) administered by the Minister for Health, are, however, bound by IS42).
• Courts and tribunals (including the holders of office) are exempt with respect to their judicial and quasi-judicial functions only. Judicial functions include coroners exercising their powers under the Coroners Act 2003.
• Law enforcement agencies are exempt from Information Privacy Principles (IPPs) 2, 3, 9, 10 and 11, for all functions except administrative functions.

The implementation of this Standard must be consistent with the requirements outlined in the FMS. Existing mandatory requirements of the previous version (V1.00.01) remain unchanged. Version 2.00.01 has been amended for consistency with other Queensland Government Information Standards.

---

Mandatory Principles

Principle 1 – Adoption of the Queensland Government Information Privacy Principles (IPPs)

To ensure the management of personal information is applied appropriately and consistently, agencies must adopt and follow the Department of Justice and Attorney General Queensland Government IPPs (link to be developed) when collecting, handling, using and disclosing personal information. These principles are (all links below to be developed) :

• IPP 1: Manner and purpose of collection of personal information;
• IPP 2: Solicitation of personal information from individual concerned;
• IPP 3: Solicitation of personal information generally;
• IPP 4: Storage and security of personal information;
• IPP 5: Information relating to records kept by record-keeper;
• IPP 6: Access to records containing personal information;
• IPP 7: Alteration of records containing personal information;
• IPP 8: Record-keeper to check accuracy etc. of personal information before use;
• IPP 9: Personal information to be used only for relevant purposes;
• IPP 10: Limits on use of personal information; and
• IPP 11: Limits on disclosure of personal information.

Implementation advice

Principle 2 – Planning and Management of Privacy

To ensure that personal information held by the agencies is responsibly and transparently collected and managed in accordance with the Queensland Government IPPs (link to be developed) , agencies must establish effective management and review processes. At a minimum, agencies must:

• develop and publish chief executive officer (CEO) approved privacy plans to the agency website and review and update these plans annually;
• implement the agency privacy plan according to a schedule outlined in the plan, subject to any existing contractual obligations, licenses, or other outsourcing arrangements;
• develop a privacy and security statement and publish it on the agency website;
• nominate a privacy contact officer (PCO) who will be the first point of contact for privacy issues within their agency; and
• ensure administrative processes and practices are in place for dealing with privacy complaint resolution and the accessing and correcting of personal information records.

  Implementation advice

---

Implementation advice and toolboxes

The following implementation checkpoints can be used by agencies to assist in implementing the mandatory principles of the standard

IS42 Implementation Toolbox

Principle 1 - Implementation advice

• Lead Agency

The Queensland Government IPP’s are administered and managed by the Department of Justice and Attorney General (JAG). Agencies should seek further advice from JAG or refer to the JAG Privacy Website for information relating to the implementation of all mandatory principles and the 11 IPPs. Information Privacy Guidelines (link to be developed) have also been developed and are maintained by JAG to assist agencies with the implementation of the Queensland Government IPPs.

• Queensland Government IPPs

The Queensland Government IPPs administered and managed by JAG consist of a set of 11 Information Privacy Principles based on the Commonwealth Privacy Act 1988 (Cth). In summary these IPPs deal with:

• Collection of personal information (IPPs 1-3)
  IPPs 1, 2 and 3 deal with what personal information may be collected, the way it is collected and what notices must be given to the person from whom the information is collected. An agency can only collect personal information directly related to its activities and only by lawful and “fair” means. Detailed requirements can be found in the Queensland Government IPPs (link to be developed) and Information Privacy Guidelines (link to be developed).
  
  
• Storage and security of personal information (IPPs 4-5)
  IPP 4 and 5 deal with requirements for ensuring that personal information is stored securely and protected from loss, unauthorised access, use, modification, disclosure and misuse. Detailed requirements can be found in the Queensland Government IPPs (link to be developed) and Information Privacy Guidelines (link to be developed).
  
  
• Access to and correction of personal information (IPPs 6-7)
  IPPs 5, 6 and 7 deal with individuals obtaining access to and correcting the personal information held by agencies. Agencies in possession of personal information are to ensure that there are reasonable safeguards to prevent unauthorised access, use or disclosure of personal information. Detailed requirements can be found in the Queensland Government IPPs (link to be developed) and Information Privacy Guidelines (link to be developed).
  
  
• Accuracy of personal information (IPP 8)
  IPP8 relates to agencies taking reasonable steps to ensure that any personal information proposed to be used is accurate, up-to-date and complete. Detailed requirements can be found in the Queensland Government IPPs (link to be developed) and Information Privacy Guidelines (link to be developed).
  
  
• Using and disclosing personal information (IPPs 9-11)
  IPPs 9, 10 and 11 deal with how personal information is used and disclosed by agencies. In general, an agency must use personal information only for the purpose for which it was collected and disclose personal information only if the individual concerned is aware of, or has consented to that disclosure. However, an agency may use or disclose personal information if it is authorised by law or if it is necessary for certain types of law enforcement. Detailed requirements can be found in the Queensland Government IPPs (link to be developed) and Information Privacy Guidelines (link to be developed).
  
  
• Disclosure of Personal Information to Members of Parliament or their Staff Acting on Behalf of Constituents

Guidelines for the Disclosure of Personal Information to Members of Parliament or their Staff Acting on Behalf of Constituents have been developed to support Information Privacy (IS42). These Guidelines are to be used as additional reference material by Queensland Government Members of Parliament in the performance of their duties when members act on behalf of their constituents and receive information from government about (or on behalf of) constituents.

• Additional Legislation

There are several pieces of legislation which regulate the disclosure of private and personal information that is agency-specific. As legislation takes precedence over the administratively based Information Standards, agencies will need to ascertain those laws which specifically relate to their activities in disclosing and using private and personal information.

• Privacy Codes of Practice

The development of privacy codes of practice are permitted under Information Standard 42. A privacy code of practice may modify the application of any one or more of the IPPs to an agency, but may not modify IPPs themselves.

Codes can apply to any one or more of the following:

• any specified class or personal information;
• any specified agency or class of agency;
• any specified activity or specified class of activity.

Codes of practice are to be developed by the responsible agency, approved by JAG and then issued by the responsible agency. Once issued, codes should be published together with the agency privacy plan on the agency website. Further information can be found in the Information Privacy Guidelines (link to be developed).

Principle 2 - Implementation advice

• Implementation Activities

There are a number of implementation activities that need to be undertaken to meet Information Standard 42 requirements. The JAG Information Privacy Guidelines contains information on implementation activities that includes privacy plan development and management, writing a privacy and security statement, notice formats and conducting an audit of personal information. The Information Privacy Guidelines (link to be developed) are located in the Information Privacy (IS42) Toolbox.

• Privacy Plan

The privacy plan should outline the responsibilities and processes in relation to collection, storage, use and disclosure of personal information. The purpose of the agency's privacy plan is to ensure that personal information held by the agency is responsibly and transparently collected and managed in accordance with the Queensland Government IPPs. Details on the content and activities to be addressed with developing the agency plan can be found in the Information Privacy Guidelines (link to be developed).

• Privacy Contact Officer

A privacy contact officer (PCO) should be the first point of contact for privacy issues within the agency. The PCO may also, at the discretion of the agency CEO, be the first point of contact for any privacy complaints made to the agency. Suggested responsibilities for the agency PCO in the development of the agency privacy plan are outlined in the Information Privacy Guidelines (link to be developed).

• Contractors and Consultants

Where an agency engages a contractor to perform a service on its behalf and for its benefit, the agency must take steps to ensure the contractor observes the agency practices regarding the management of personal information. Agencies should assess on a case-by-case basis how security and privacy issues need to be addressed in contracts and offers, however agencies should consider the inclusion of clauses relating to privacy of personal information when engaging with third parties. Agencies should refer to Information Standards, Information Security (IS18) and ICT Procurement (IS13) for information relating to this issue.

• Privacy and websites

Privacy notices must be given in accordance with the Queensland Government IPP 2. However, web pages present challenges as to how to meet the requirements of this principle. Details of Standard text for web page notices (link to be developed) that relate to the information collected about the Internet user simply accessing and moving about the site can be found in the Information Privacy (IS42) Toolbox.

• Legal Notices

The Information Privacy Guidelines (link to be developed) contain a model privacy and security statement, which agencies can use as a starting point for privacy and security statements. The model statement should be viewed as the minimum agencies should provide, however agencies should feel free to provide more information if they believe it will be of use, or of interest to the public. Agencies should also refer to Information Standard, Internet (IS26) for further information regarding legal notices.

• Monitoring of employee email

Any monitoring of employee use of information and communication technology facilities and devices must be in accordance with the relevant department or agency’s Privacy Plan.

Further advise regarding privacy issues in relation to the monitoring of email are currently been investigated and will be updated as information becomes available. Interim advice is located in the Use of Communication and Information Devices (IS38) Toolbox (Toolbox to be developed).

• Shared Service Initiative

A fundamental part of the Shared Service Initiative is the disclosure of personal information about a participating agency’s employee to the shared service provider. Shared service providers should also ensure all policies and procedures reflect the principles contained in Information Standard 42. Shared service providers should refer to the SSIO Information Classification and Control Better Practice Guide (document is being finalised by SSIO and link to be developed) for further information regarding the treatment of personal information.

• Accessing and correcting records

Individuals have the right to access and amend their personal information, which has limitations under the Freedom of Information Act 1992. Agencies should at a minimum ensure the relevant process and procedures for an individual to obtain access to and correction of their personal information is included in the agency privacy plan. Further details can be found in the Information Privacy Guidelines (link to be developed).

• Privacy Complaints

If a person believes that an agency has not dealt with their personal information in accordance with an IPP they may make a complaint in writing to the agency. As a minimum the nominated complaints resolution officer should ensure the complaints procedures and review process as outlined in the Information Privacy Guidelines (link to be developed) is included in the agency privacy plan.

Other relevant Information Standards

• ICT Procurement (IS13)
• Information Security (IS18)
• Internet (IS26)
• Use of Communication and Information Devices (IS38)

Last updated 8 Feb 2005

If you are having difficulty downloading, viewing or printing PDFs and documents please refer to our help page.

Copyright | Disclaimer | Privacy | Access keys

© The State of Queensland - Queensland Government Chief Information Office 2006.

Queensland Government