Privacy refers to the right of an individual to have a private life, free from interference from the government, businesses, and other individuals. Privacy is all about the right of control an individual has over their personal information. There are pieces of legislation internationally and within Australia that outline how companies and the government can handle the personal information of individuals. This protects an individual’s private information and reduces the interference entities can have in an individual’s private life without their consent.
Commonly when we think about privacy, we think about big entities that we give personal information to, such as Facebook or Google. However, governments are also heavily regulated in how they can handle personal information of individuals. The right to privacy is a key aspect of democracy and freedom.
How does the Queensland Government manage privacy?
In Queensland, the Information Privacy Act 2009 (IP Act) regulates how the Queensland Government can:
- disclose; and
the personal information of individuals. The rules that the Queensland Government must follow when handling personal information are called the Privacy Principles.
What government entities have to comply with the IP Act?
The IP Act applies to Queensland Government agencies including:
- Queensland Government Departments
- Local government; and
- Public authorities (e.g. universities).
The IP Act only regulates personal information held by the Queensland Government, other States and Territories across Australia are regulated by their own legislation. Private companies in Queensland are regulated by the federal legislation, the Privacy Act 1988 (Cth).
What does the IP Act apply to?
The IP Act only regulates the use of personal information by the Queensland Government. Personal information is any information that can identify an individual. Some examples of personal information include:
- signatures; and
- telephone numbers
Only a human being has personal information under the IP Act. Businesses and other entities do not have personal information.
What can the Queensland Government do with my personal information?
The Privacy Principles outline the rules the Queensland Government must comply with when handling personal information. The general rules are outlined below.
When a Queensland Government agency is collecting personal information about an individual it must only:
- collect personal information if it is needed to perform a function or role of the agency
- collect the amount of personal information that is necessary to perform its role
- collect personal information that is complete and up to date
- collect personal information in a way that is lawful, fair and not unreasonably intrusive into the personal affairs of the individual.
When a Queensland Government agency is going to use your personal information, it must:
- make sure the personal information is accurate and up to date
- only use the amount of personal information necessary to perform the function
- only use the personal information for the purpose it was provided for
For example, if you provided your name and address to an agency for the purpose of dealing with a complaint, it would be wrong for the agency to use that personal information to issue you with an infringement notice.
A Queensland Government agency must never disclose personal information to anyone other than the subject of the information.
For example, if an agency intends to send health information to John Smith and accidentally sends it to Jane Smith, the agency will have breached this rule.
A Queensland Government agency must protect personal information against:
- unauthorised access, use, modification or disclosure; and
- any other type of misuse.
For example, if an agency stores information on a database and does not limit access to that database to appropriate staff, it will have breached this rule.
However, the IP Act sets out several circumstances where a government agency does not have to comply with these rules. For example, if an individual consents to disclosure of their personal
In early 2021, I will be releasing a privacy course that will guide you through each of the principles and their exceptions in more detail and arm you with resources necessary to protect your personal information held by the government.
What happens if the Queensland Government doesn’t comply with these rules?
If a Queensland Government agency does not comply with one of the privacy rules, they have committed a privacy breach. The agency will be required to assess the risks associated with the breach and determine whether to notify the affected individual. They will also need to take steps to ensure the breach does not happen again.
Notification in Queensland is not mandatory. This means that a Queensland Government agency can commit a privacy breach but is not required to notify the affected individual. However, most agencies will notify if the beach is serious or could have a negative impact on an individual (for example, identity theft).
What can I do if an agency has breached my privacy?
If a Queensland Government agency has failed to comply with one of the privacy rules in relation to an individual’s personal information, that individual can lodge a privacy complaint with the agency.
The agency will consider the complaint and provide a response within 45 business days to the complaint. The agency may offer a range of remedies to try to resolve the complaint including:
- an apology;
- compensation; and
- a change in systems to ensure another breach does not happen.