Peter A Clarke

In December 2023 the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Act 2023 (Qld).  Amendments to the Information Privacy Act 2009 (Qld) will come into effect on 1 July 2025.

The most notable reform is the introduction of new Queensland Privacy Principles (QPPs) that replace the existing Information Privacy Principles and the National Privacy Principles.

The most relevant QPPs are  QPP 11, QPP 12 and QPP 13.

• QPP 11 requires agencies to take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure.
• QPP 12 requires agencies to give an individual access to a document in their control, containing the individual’s personal information.
• QPP 13 requires agencies to take reasonable steps to correct the personal information they hold to ensure that, having regard to the purpose for which it is held, it is accurate, up to date, complete, relevant and not misleading.

QPP 11

QPP 11 requires:

• agencies to take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure; and
• agencies to  destroy or de-identify personal information once it is no longer needed for any purpose for which it could be used or disclosed under the QPPs.

The reasonable steps an agency must take to ensure the security of personal information will depend on the circumstances which commonly include:

• the amount and sensitivity of the personal information held;
• the possible adverse consequences for an individual if there is a breach and their personal information is not handled in accordance with the QPPs;
• the practical implications of implementing security measures, considering the time and cost involved (note: it is not enough for an agency to claim that a security measure is timely or costly for it to make the steps unreasonable); and
• whether a particular security measure is privacy invasive.

Destruction or de-identification of personal information

An agency that keeps personal information must genuinely expect future use or disclosure, actively considering if the information will be required for a permitted purpose. Retaining information ‘just in case’ is unacceptable.

Generally, agency documents can only be destroyed or altered if the Public Records Act authorises it. The obligation for an agency to take reasonable steps to destroy or de-identify personal information will not apply to a document that must be retained under Australian law.

If personal information is stored on third-party hardware, the agency must take reasonable steps to verify that the information was destroyed/de-identified.

Putting personal information ‘beyond use’

If an agency cannot irretrievably destroy personal information held in electronic format, it must take reasonable steps to put the information ‘beyond use’. Personal information is considered beyond use if it is no longer available for use in the ordinary performance of the agency’s functions. The agency must:

• not be able, and will not attempt, to use or disclose the personal information;
• not be able to give any other entity access to the personal information;
• apply appropriate technical, physical, and organisational security measures, including access controls, logs, and audit trails; and
• commit to taking reasonable steps to irretrievably destroy the personal information if or when this becomes possible.

Reasonable steps

The reasonable steps an agency must take to destroy or de-identify personal information for the purposes of QPP 11 depends on the circumstances which often involve consideraiton of:

• the amount and sensitivity of the personal information held;
• the possible adverse consequences if information is not destroyed or de-identified;
• the nature of the agency;
• the agency’s information handling practices, such as how it collects, uses and stores personal information, including whether personal information handling practices are outsourced to third parties.

QPP 12

QPP 12.1 provides a right to access personal information held by an agency. Agencies must provide access to personal information upon request, unless there are legal or confidentiality to justify refusal.

QPP 13

QPP 13.1 requires agencies to take reasonable steps to correct the personal information they hold to ensure that, having regard to the purpose for which it is held, it is accurate, up to date, complete, relevant and not misleading.

An agency is only required to take these reasonable steps if:

• it is satisfied, independent of any request, that personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which it is held; or
• the individual asks the agency to correct the information.

If an agency refuses to correct personal information at an individual’s request, the individual can ask the agency to provide a statement with the information to that effect. The statement should indicate that the information is inaccurate, out of date, incomplete, irrelevant, or misleading, and clarify whether it is based on the individual’s assertion or the agency’s inability to take reasonable steps to correct it.

Being satisfied that personal information is incorrect does not always require detailed analysis and the agency can ask for more information in reviewing a correction request.

Taking reasonable steps to correct personal information includes making appropriate additions, deletions or alterations to a record. IIf there are no reasonable steps an agency can take, it can decline to correct personal information. Agencies should  have regard to:

• the sensitivity of the information;
• the possible adverse consequences for an individual if a correction is not made;
• the practicability, including the time and cost involved (notably, it is not enough for an agency to claim that correcting information is timely or costly for it to make the steps unreasonable);
• the likelihood that the agency will use or disclose the personal information;
• the purpose for which the personal information is held; and
• whether the personal information is in the physical possession of the agency or a third party.

Contracted service providers are required to comply with the QPPs and are bound by section 35 of the IP Act.

Agencies should ensure there are processes in place for individuals to access and correct their personal information held by bound contracted service providers.