Version number 1.3 | Version effective 03 May 2022
Categories
Technology and information management | Governance
Audience
Department-wide
Purpose
The procedure provides the responsibilities of all employees regarding managing information privacy and right to information requests.
Overview
Outlines the departmental requirements under Information Privacy and Right to Information (RTI) legislation.
Responsibilities
Employees
- be aware of the requirements for protection of personal information as provided in the Personal information guideline (DOCX, 1MB)
- direct any privacy complaints to the department’s Privacy Officer, Information and Governance Management, Digital Transformation, Information and Technologies Branch
- report suspected privacy breaches to their supervisor, manager, director or principal
- action request for information applications in accordance with this procedure
- complete the Keys to managing information External link (DoE employees only) online training course upon induction to the department.
Directors, principals or above
- ensuring their employees are adhering to the requirements for protection of personal information as provided in the Personal information guideline (DOCX, 1MB)
- referring reported privacy breaches to the department’s Privacy Officer to take necessary action
- assessing right to information requests in accordance with this procedure.
Director, Integrity and Assessment, Integrity and Employee Relations
- Responsible for referring complaints, if necessary, to the:
- Crime and Corruption Commission (CCC) as required under section 38 of the Crime and Corruption Act 2001 (Qld) External link, or
- Legal and Administrative Law Branch if a complaint proceeds to the Office of the Information Commissioner or Queensland Civil and Administrative Tribunal (QCAT).
Process
Personal information
Personal information is primarily protected under the Information Privacy Act 2009 (Qld) External link which legislates how the department will:
- collect, store, use and disclose personal information about people (employees, students etc.)
- allow people access to their personal information held by the department
- allow people to request changes or amendments to this information.
For supporting information relating to protection of personal information, refer to the Personal information guideline (DOCX, 1MB).
Collection of personal information
Employees when collecting personal information must:
- only collect personal information directly from the individual, as required to carry out the tasks directly related to the functions and activities of the business unit or school
- only use departmental approved forms, questionnaires, interviews, survey tools or other tools used to collect personal information
- provide a privacy notice (see Personal information guideline (DOCX, 1MB)) to the individual on collection of their personal information.
Security of personal information
Employees must apply protection to the personal information they control by:
- classifying personal information with an information security classification External link (DoE employees only) and applying security controls accordingly
- protecting and securing personal information External link (DoE employees only) in both paper and digital formats and on mobile devices from loss, unauthorised access, use, modification or disclosure, and any other misuse
- reporting any loss of personal information to their manager, director or principal
- not emailing student personal information outside the department’s corporate network.
Provision of personal information
The department publishes details of the type of personal information it holds, for what purpose and use on the How do I access information? External link web page.
An individual whose information is held by the department has the right to expect that any access is permitted only for authorised purposes. Employees must:
- seek approval from their director, principal or above to undertake requests by individuals to access and amend their personal information
- when processing requests, undertake identity authentication (DOCX, 431KB) to be satisfied as to the requestor’s identity or the identity of the parent or guardian for an individual under 18 years, and their right to access or amend the personal information
- where there is doubt about an individual’s right to access or amend personal information must advise them of the RTI and Information Privacy application process External link.
Checking accuracy of personal information
Employees must check the accuracy, completeness and currency of personal information before use.
For further guidance on checking accuracy of personal information, refer to the Personal information guideline (DOCX, 1MB).
Use and disclosure of personal information
Employees must only use personal information for the purpose for which it was collected, unless the individual concerned has consented to the use of the information for another purpose or an exception applies (see the Personal information guideline (DOCX, 1MB)) for details. Any approved use must be recorded in the individual’s file or in the system where the personal information is stored.
Directors, principals or above who authorise requests for disclosure of personal information must:
- ensure requests for disclosure of personal information are in writing and provide justification for why the information is required (see Obtaining and managing student and individual consent procedure)
- ensure the individual concerned is aware of, or has consented to that disclosure
- advise the recipient in writing to not use or disclose the personal information for a purpose other than the purpose for which it was provided
- ensure the disclosure:
- is authorised by law to do so
- is necessary for certain types of law enforcement
- there are reasonable grounds in existence to indicate that the use of this information is necessary to prevent or lessen a serious and imminent threat to the life or health of that person
- record decisions to disclose the information (including reasons for disclosure and the information disclosed).
Principals are also to follow the Access to records held in schools procedure.
Privacy complaints
Employees must direct any privacy complaints to the department’s Privacy Officer. The complainant must have a response within 45 business days.
The Director, Integrity and Assessment, Integrity and Employee Relations will refer the complaint, if necessary, to the:
- Crime and Corruption Commission (CCC) as required under section 38 of the Crime and Corruption Act 2001 (Qld) External link, or
- Legal and Administrative Law Branch if a complaint proceeds to the Office of the Information Commissioner or Queensland Civil and Administrative Tribunal (QCAT).
In some instances it may be necessary for a matter to be referred to the Director, Integrity and Assessment, Integrity and Employee Relations from the CCC for investigation in relation to a potential breach of the Queensland Government’s Code of Conduct for the Queensland Public Service External link, the Standard of Practice External link and/or the Public Service Act 2008 (Qld) External link.
Privacy breaches
Any employee who suspects a breach of privacy must report it to their supervisor, manager, director or principal and email the privacy mailbox. The supervisor or manager will liaise with the department’s Privacy Officer to take necessary action.
Information release, access and use
The department has a number of ways in which members of the community, employees, students and parents/guardians can access information held by the department. The department provides government information to the public to the maximum extent possible, unless on balance it is contrary to the public interest to do so.
Information held by a regional office or central office is also accessed in accordance with the Administrative access scheme for central and regional offices (DOCX, 887KB) process. Access to school related information follows Access to records held in schools procedure. Employees can access their own records through the Human Resources Branch in accordance with the Public Service Regulation 2018 (Qld) External link.
Employees must be aware that any information held in the department (documents, data, emails, text messages, etc. including personal correspondence) can be made available and/or released to the public under Right to Information Act 2009 (Qld) External link (RTI) by:
- proactive publication to the website under ‘published information’ within specified categories of information (also known as a publication scheme)
- an administrative release where information is released to an individual or organisation at their request without having to lodge a formal RTI and Information Privacy Application, or
- a formal RTI and Information Privacy Access Application External link where the information and/or its metadata is published under the disclosure log on the department’s website. Personal information requested under the Information Privacy Act 2009 (Qld) External link also follows this process. This formal application for government-held information should only be made as a last resort.
If an employee receives a request for information they must, in consultation with an Information Access Officer in their business unit, determine which process for release is to be followed considering:
- any requests for information from the media is directly forwarded to the Strategic Community Engagement at media@qed.qld.gov.au
- request for the release of closed or restricted records including those held at Queensland State Archives is to be forwarded to the Director, Information and Governance Management, Information and Technologies Branch as under the Public Records Act 2002 (Qld) External link they may require authorisation for release by the Deputy Director-General, Corporate Services, Assistant Director-General, Information and Technologies, Executive Director, Digital Transformation, Information and Technologies Branch or school Principal (who are authorised by the Director-General to set and change restricted access periods and approve access to restricted records)
- the information that is to be released complies with the Information asset and recordkeeping procedure
- the department supports the exchange of government information with other government entities where there is a business need and it is permitted or required by legislation
- if it has been determined the information can be released directly to the department’s website under the publication scheme the Information Access Officer coordinates with Web and Digital Production, Information and Technologies Branch via Services Catalogue Online External link (DoE employees only) or email webworkrequest@qed.qld.gov.au to release the information
- the Administrative access scheme (DOCX, 887KB) process must be followed for administrative releases
- the information must be provided to the maximum extent possible free of charge
- where unable to provide administrative release or a direct release, direct the requesting party to the department’s website External link to make a formal RTI and/or Information Privacy Application.
Employees receiving a request for information requested under a RTI and Information Privacy Access Application External link are to:
- take all reasonable steps to locate relevant documents (both electronic or hardcopy documents) and respond by the due date set by the Information Release Unit, Legal and Administrative Law Branch this includes:
- any paper or other material on which there is writing
- any paper or other material on which there are marks, figures, symbols or perforations having a meaning for a person qualified to interpret them; and
- any disc, tape or other article or any material from which sounds, images, writings or messages are capable or being produced or reproduced (with or without the aid of another article or device).
- understand that if they do not provide all relevant documents the department and its officers may have to defend their conduct before the Information Commissioner or the Queensland Civil and Administrative Tribunal (QCAT). It could also result in an adverse report to Parliament about the department’s non-compliance
- keep an accurate record of time spent searching for and retrieving the documents. However, the time spent by employees in photocopying, collating or searching for documents where they should have been stored, but are not found to reside there, cannot be recorded by the employee undertaking these tasks.
An employee who has been delegated the role of Information Access Officer for their business unit is to:
- provide advice on right to information and information privacy requests
- coordinate within the required timeframes approval processes including searching for the required information/documents consulting with Legal and Administrative Law Branch, when required
- prepare and advise on the administrative release of information following the Administrative Access Scheme (DOCX, 887KB) process
- create records where necessary within an authorised recordkeeping system of the original request and documents
- seek necessary approval according to the required process.
Manager, director or above must:
- ensure information released on the Right to Information External link website meets the requirements of significance, accuracy and relevance
- approve the administrative release of information following the Administrative Access Scheme (DOCX, 887KB) process
- coordinate regular reviews of information from, or about, the business unit on the department’s Publication scheme External link website and other departmental websites to ensure the continued relevance, significance and accuracy of published information
- proactively identify new information for consideration to be published on the department’s Right to Information External link website
- approve internet publication of all new and revised information ensuring it is accurate, relevant and has no copyright or other agreements restricting its release and publication
- ensure an Information Access Officer has been appointed to their business unit to adhere to this procedure.
Definitions
Term
Definition
Personal information
Information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.
Legislation
- Crime and Corruption Act 2001 (Qld) External link
- Information Privacy Act 2009 (Qld) External link
- Right to Information Act 2009 (Qld) External link
- Public Records Act 2002 (Qld) External link
- Public Service Act 2008 (Qld) External link
- Public Service Regulation 2018 (Qld) External link
Delegations/Authorisations
- Nil
Other resources
- Access to records held in schools procedure
- Code of Conduct for the Queensland Public Service External link
- Complaints and compliments External link
- Customer complaints management procedure
- Customer complaints management External link (DoE employees only)
- How do I access information? External link
- Identity (ID) and access management guideline (DOCX, 431KB)
- Information asset and recordkeeping procedure
- Information Management (IM) Policy External link (DoE employees only)
- Information classification and handling guideline External link (DoE employees only)
- Information access and use External link (DoE employees only)
- Keys to managing information External link (DoE employees only)
- Managed Internet Service (MIS) Filtering - Third party website consent form External link (DoE employees only)
- Obtaining and managing student and individual consent procedure
- Publication scheme External link
- Right to Information External link
- RTI and Information Privacy application process External link
- RTI make a request External link
- Services Catalogue Online Web Work Request External link
- Standard of Practice External link
Superseded versions
Previous seven years shown. Minor version updates not included.
1.0 Information Management (IM)
1.0 Information privacy and right to information
Review date
01 November 2018 Creative Commons — Attribution 4.0 International — CC BY 4.0