Refer to the Department of Education Policy and Procedure Register at https://ppr.qed.qld.gov.au/pp/information-privacy-and-right-to-information-procedure to ensure
you have the most current version of this document.
Last updated 7 February 2020
This guideline supports the Information privacy and right to information procedure
Acknowledgements
This document was developed using materials made available under a Creative Commons BY licence from the Queensland Government Office of the Information Commissioner – http://oic.qld.gov.au.
Security and licence
This document has an information security classification of public. © The State of Queensland (Department of Education) 2020
Unless otherwise noted below, materials included in this paper are licensed under a Creative Commons Attribution 4.0 Australia licence. To view a copy of this licence, visit https://creativecommons.org/licenses/by/4.0/
Guiding principle
The Department of Education (DoE) is committed to protecting personal information it holds and handles as it performs its functions.
Personal information is information or an opinion (including captured electronically in databases, true or untrue, whether in material form (e.g. paper) or not) about a person whose identity is apparent, or can reasonably be ascertained.
Purpose
Given the complexity of the legislative framework within the department’s operations, this procedure has been developed to provide practical advice to DoE employees when collecting, securing, storing, accessing, amending, using and disclosing personal information.
For information regarding disposal of data / information collected by the department, refer to the departments’ Information privacy and right to information procedure.
Application
This procedure applies to all DoE employees, contractors and volunteers.
While all DoE employees manage this information, particular attention should be given by DoE employees in Queensland State Schools as they collect, use and disclose personal information of students, parents and employees on a daily basis.
This is a guide only to assist with normal operations within corporate offices and schools. Further advice should be sought from the department’s Privacy Officer. Legal advice should be sought from DoE’s Legal and Administrative Law Branch for specific circumstances requiring legal advice.
Types of personal information
DoE provides full details of the different types of information it holds on the How do I access information? website.
Background
DoE operates under its primary legislation (refer to 3.2 DoE primary legislation), which requires the department to maintain confidentiality of children and young people’s personal information recorded, used and disclosed by the department.
Legislation coverage by sector and purpose
In general, recording, using or disclosing personal information is prohibited except where permitted by law.
Scope
DoE is administratively responsible for a number of state acts (referred to as its ‘primary’ legislation – see Section 3.2 DoE primary legislation). This primary legislation specifically regulates the way DoE employees deal with certain personal information and to that extent overrides any provisions of the Information Privacy Act 2009 (Qld) (IP Act) that deals with the same subject matter. In essence, DoE’s primary legislation must be considered and satisfied in the first instance when handling personal information. Under all other circumstances, the IP Act must be adhered to.
DoE primary legislation
DoE’s primary legislation is as follows:
Education and Care Services Act 2013 (Qld)
Education (Accreditation of Non-State Schools) Act 2017 (Qld)
Education (General Provisions) Act 2006 (Qld)
Education (General Provisions) Regulation 2017 (Qld)
Education (Overseas Students) Act 2018 (Qld)
Education (Queensland Curriculum and Assessment Authority) Act 2014
Education and Care Services National Law (Queensland) Act 2011
Education and Care Services National Law (Queensland) Regulation 2011
Education and Care Services National Regulations (Qld)
Public Service Regulation 2018 (Qld)
Current versions of these legislation can be found here except where specifically detailed above.
Further Considerations
It is important to note that the confidentiality provisions outlined in these Acts are offence provisions. A breach of any one of these provisions may render an individual liable to a fine. A breach of the legislation may also make an individual liable to disciplinary action under the Public Service Act 2008 (Qld).
In addition to the provisions under the primary legislation, DoE is subject to the IP Act. DoE employees are obliged by this policy and other departmental policies to comply with the requirements of the IP Act in the performance of their duties, where DoE’s primary legislation does not override the requirements of the IP Act.
An overview of the process and compliance requirements for DoE employees when dealing with personal information about employees, students and parents is set out in a flowchart in Appendix A.
Information Privacy Principles
The IP Act sets out the legislative framework to protect the personal information of individuals, giving individuals the right to access and amend their own personal information and sets out the rules for how DoE handles personal information when DoE’s primary legislation does not apply. Refer to the Office of the Information Commissioner’s guidelines – privacy principles for a comprehensive breakdown of the principles. The sections below outline advice mainly provided from the Office of the Information Commissioner’s website.
While the Information Privacy Principles (IPPs) are, in part, overridden by DoE’s primary legislation, they still fully apply to all personal information not covered by DoE’s primary legislation and will apply at least in part to all personal information handled by DoE.
The IP Act contains 11 IPPs which the department must follow to regulate the way they collect, store, use and disclose personal information about individuals:
IPP 1. Lawful and fair collection of personal information IPP 2. Collection of personal information when requested from an individual IPP 3. Collection of personal information - ensuring relevance, completeness and currency IPP 4. Storage and security of personal information IPP 5. Providing information about documents containing personal information IPP 6. Access to documents containing personal information IPP 7. Amendment of documents containing personal information IPP 8. Checking of accuracy, completeness and currency of personal information before use IPP 9. Using personal information only for relevant purpose IPP 10. Limits on use of personal information IPP 11. Limits on disclosure of personal information.
The IP Act places ‘practical protections’ on the flow of departmental personal information and promotes its responsible use and disclosure.
Limit Collection (IPPs 1, 2 and 3)
When DoE (its employees and contractors) is collecting personal information, this must be done lawfully and in the fairest, simplest way to ensure protection of people’s personal information and minimise the risk of breach of the IP Act.
Fundamental questions to ask are:
What information is needed to carry out DoE’s purpose?
Can the purpose be achieved without collecting it?
When collecting personal information DoE must have a specific purpose, not collect any more than is necessary, and not use unfair or unlawful means of collection. Collecting personal information because DoE thinks it may need it at some time in the future is likely to breach the privacy principles relating to collection. Only IPP 1 applies to an individual giving information to DoE without it being requested (unsolicited information).
IPP 2 applies only where DoE collects the information directly from the individual. In these instances a privacy notice (see Appendix B) should be administered. Privacy notices are provided to inform individuals of the use when their personal information is collected. Personal information is disclosed only to the individual to whom the information applies or, when disclosure is properly authorised under legislation or with consent using the Obtaining and managing student and individual consent procedure, where applicable.
IPP 3 applies where:
DoE asks the individual for the information DoE asks someone else (for example, another agency) for information about an individual.
Keep it safe (IPP 4)
IPP 4 relates to the security of personal information. It requires DoE to ensure that they apply appropriate protections to the personal information they control. This means that, even where documents are being held by another body or person, if DoE has the ability to exercise control over them it must take the steps necessary to ensure they are protected. Refer to the Information security procedure for additional information.
Transparent and accountable (IPP 5, 6 and 7)
IPPs 5, 6 and 7 concern the transparency of DoE actions when dealing with personal information and ensuring that individuals (the information is about) are able to exercise some measure of control over it.
These IPPs require DoE to:
make people aware of what kinds of personal information the department holds and why
tell people how they can get access to it
state how they can seek to have it amended if they believe it is not accurate.
Chapter three of the IP Act creates a legal right of access to, and amendment of, documents containing an individual’s personal information. It applies to more government entities and documents than those subject to the privacy principles, but all bodies subject to the privacy principles (the IPPs or the National Privacy Principles (NPPs)) are covered by chapter three. For this reason, in the majority of circumstances, compliance with IPPs 6 and 7 will be achieved by compliance with chapter three of the IP Act.
The exceptions to this will be where the entity is a bound contracted service provider under section 35 of the IP Act. Bound contracted service providers are subject to the privacy principles but not to chapter three of the IP Act. The requirements of chapter three can be a guide for how bound contracted service providers can meet their obligations under IPPs 5, 6 and 7.
Accuracy and currency (IPP 8 and 9)
IPPs 8 and 9 are concerned with ensuring that the information used by DoE is accurate, up-to-date and complete, and that DoE only uses what is relevant of the information they hold for the purpose of its business at that time.
‘Accurate, up-to-date and complete’ will be collectively referred to in this section as ‘accurate’, except where each requirement is explained. Accuracy of information is particularly important where it is being used to make decisions. If the information is not accurate, the use may be a breach of IPP 8.
IPP 8 and 9 ensure that, whenever DoE uses personal information, it first ensures that it is accurate and relevant. This helps DoE make fair and lawful decisions, based on reliable information. IPP 8 requires DoE to take reasonable steps to ensure that personal information is accurate. The reasonable steps required to ensure accuracy in particular circumstances will depend on several factors, including:
the nature of the information
how recently the information was collected
how quickly the information can go out of date
who provided the information
the purpose for which the organisation uses the information
the consequences for the individuals concerned if the data is not sufficiently accurate, complete and up-to-date.
The type of information, and the consequences that may flow from poor data quality, will be a key factor in determining whether the steps DoE takes are reasonable. Some information, if incorrect when used, may simply irritate the individual it is about, for example, the misspelling of a name. However, some incorrect information may have significant adverse impacts on an individual, for example, recording an individual’s age incorrectly when they are applying for an age-based entitlement.
Like IPP 8, IPP 9 applies only where DoE is intending to use the personal information it holds. DoE holds a great deal of personal information and not all of it will be relevant to every use relating to the individual it is about. In order to ensure that the use does not breach IPP 9, DoE must take care only to use that part of the information which is relevant.
Relevance is also discussed in the section on IPP 3, and the phrase ‘directly related’ is examined in the section on IPP 1. The same principles apply when considering IPP 8. Generally, DoE must consider:
the use to which the personal information is to be put
whether the personal information is directly related to that use.
When considering whether the personal information is relevant to the purpose, DoE should consider:
what DoE is trying to achieve when it uses the information
any legislation or policies that relate to or govern that use.
Limit use and disclosure (IPP 10 and 11)
IPP 10 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies as set out under IP Act, Schedule 3, IPP 10 (1)(a) to (f).
IPP 11 provides that personal information must not be disclosed outside DoE unless one of the exceptions applies. Additionally, when certain exceptions are relied upon, the use or disclosure must be noted on the record containing the personal information. For example, where personal information is disclosed, with reliance on IP Act, Schedule 3, IPP 11, DoE is required to ensure that the recipient does not use it for any other purpose.
In Appendix E Tables below:
Table one outlines a number of additional considerations to take into account, in addition to the primary legislation
Table two outlines a number of documents that are exempt from the IPP requirements
Table three outlines a number of entities that are exempt from the IPP requirements.
Guide for state schools
Queensland State Schools collect, use and disclose personal information of students, parents and employees on a daily basis.
This is a guide only to assist with normal operations within schools. Further advice should be sought from the department’s Privacy Officer. Legal advice should be sought from DoE’s Legal and Administrative Law Branch for specific circumstances requiring legal advice.
Is the information ‘personal information’
Personal information is information or an opinion (including captured electronically in databases, true or untrue, whether in material form (e.g. paper) or not) about a person whose identity is apparent, or can reasonably be ascertained.
For example, a student’s name and address, marital status of a student’s parents, a teacher’s qualification level, or school community member’s home address.
All other information is non-personal departmental information. For example, school operational plans, de-identified school achievement reporting, or school announcements that do not include personal information (e.g. employee’s names, student names). All non-personal departmental information can be handled in accordance with the Information security procedure .
The IP Act does not apply to a Parent and Citizens Association under the Eduction and General Provisions Act 2006 (Qld) (EGPA).
Collection of personal information (lawful, fair and relevant)
When collecting personal information, schools can only collect the information necessary to fulfil its function of providing an educational program to state school students. For example, collecting unnecessary background or financial information about someone would be a breach of the IP Act.
Key questions to ask when collecting, or you have been given personal information without making a request (for example, a parent gives you a written detailed family history of a student):
What is the purpose?
What is the function or activity?
The answer to this question must be based in law. Check the objects of EGPA (Part 3 – Objects) for further guidance.
For example, collecting student and parent personal information via the enrolment agreement (e.g. student date of birth, parent daytime contact phone number), to enable the school to provide an educational program to the student.
Is all of the information required?
Only collect information that is necessary to fulfil the school’s operational need. Collecting information that is not required is a breach of IPP 1.
For example, collection of parent financial information is required for national reporting. You only need to collect the financial information (e.g. salary or wage level) at the point in time that you collect the information. Asking for previous financial history is not required (e.g. average salary over the last five years).
What does a person need to know about ‘why’ the school is collecting their personal information from them?
If you are collecting personal information from an individual, you need to give that person a ‘privacy notice’ letting them know:
Why their information is being collected? Including any law that allows or requires the collection
How DoE is going to use their personal information and to whom it will be given (any person or body to whom DoE usually gives the information)
If any person or body that your school gives the information, in turns gives it to another person or body
If there are one or more purposes for collection, you need to outline each reason for collection so the person has a choice to agree or disagree to collection. For example, separate ‘marketing purposes’ from ‘assessing your child’s application for enrolment’.
How do I draft a ‘privacy notice’?
Preparing and providing a privacy notice is detailed in Appendix B.
Where do I need to put the ‘privacy notice’?
forms
telephone scripts (if you give a verbal privacy notice – keep a detailed file note)
websites
pamphlets
notice boards/ displays at service counters
correspondence.
Is the information relevant to the operations of the school?
Always try to collect the information from the relevant individual wherever possible (i.e. rather than another agency)
Your school must make sure that only information that is relevant, up-to-date, and complete is being collected
Note the date on which the information is collected, this will assist with currency assessment later on
Make sure collection of personal information is not unreasonably intrusive in a person’s affairs. For example, asking about sensitive personal affairs, invading their private property, repeatedly and unnecessarily asking for the same information.
Quick check
Review all of your forms, questionnaires and other tools that you use to collect personal information – do they meet the questions posed above?
Compare each of these tools with the purposes of the functions of DoE (guided by the objects of EGPA– Part 3 – Objects).
Ensure they are all necessary data collections and do not collect more personal information than is necessary.
Storing and securing personal information
When storing and securing personal information you must make sure appropriate protections are in place to protect against loss, unauthorised access, use, modification, disclosure or other misuse.
Further DoE guidance on security measures can be found in the Information security procedure.
Schools hold extensive amounts of personal information about employees and students, for example, birth origin and date, criminal history, etc. This information carries the potential for identity theft, financial harm to the person if misused, or it could be used to the detriment of the person’s life, safety, liberty, reputation or livelihood. Extra care should be taken by school principals to develop appropriate strategies to protect personal information in all operations within the school.
How do you safeguard personal information?
limit access to those people with a need to know the information
use audit logs to deter and detect security breaches
secure places where information is physically stored
secure data during and after transmission.
What do you do if you suspect personal information security has been compromised?
log a security incident on Services Catalogue Online
where you are unable to log a security incident, report the incident with your direct supervisor so they can log the security incident on your behalf
notify the department’s Privacy Officer via email at privacy@qed.qld.gov.au.
Access to personal information
Any person who has had their personal information collected by DoE has the right to seek access to that information.
An access to personal information request can be made through DoE’s How do I access information? website.
All school principals must follow DoE’s Access to records held in schools procedure, when providing access to certain documents held in school under an administrative arrangement.
Using personal information (up-to-date, accurate and relevant)
The personal information collected by schools must be kept accurate, complete and up-to-date. Only the relevant parts of this information can be used to fulfil the purpose for which it was originally obtained.
The agreed use of personal information is for searching purposes (looking for a student record for example) and to transfer the information within the school or department. However, the person to whom the information relates must be aware that their personal information will be used in this way and transferred to another area of DoE.
The only circumstances where a school can use personal information for a purpose other than the reason it was originally collected is any of the following:
through a new agreement with the person (can be expressed or implied)
there is serious threat to health, safety or welfare
it is required or authorised under a law
for law enforcement
it is a directly related purpose as under the original agreement for use
it is required for research or statistics in a de-identified form.
When can I disclose personal information?
There are strict limits on the disclosure of personal information. Where disclosure is allowed, you must ensure that further disclosure of personal information by a third party is not occurring (e.g. a contractor using the personal information for other purposes).
Department contact details
Privacy Officer
Information and Governance Management
Digital Transformation
Information and Technologies Branch (I&TB)
Phone: (07) 3034 4557
Email: privacy@qed.qld.gov.au
Right to Information Unit
Manager, Information Release
Legal and Administrative Law Branch
Department of Education
PO Box 15033 City East QLD 4002
Phone: (07) 3513 5858
Email: rti@qed.qld.gov.au
Appendix A: Flowchart to identify which legislation protects the different types of personal information
Appendix B: Preparing and providing a privacy notice
Preparing and providing a privacy notice
A privacy notice communicates the Department of Education’s intent when collecting an individual’s personal information. The collection notice explains:
why the personal information is being collected
what departmental legislation (if any) authorises the collection
any usual practice to disclose personal information to another entity and if the other entity is known to further disclose. For example, include details about outsourcing arrangements involving personal information or other inter-governmental data sharing/data matching arrangement
any outsourcing arrangements involving personal information.
A privacy notice is not the same as asking for consent to use or disclose personal information. It is important that departmental websites used to collect personal information include a privacy notice.
Writing the privacy notice
A simple drafting format follows. The instructions ‘<Insert 1>’ refers to inserting the description as listed against the corresponding number under ‘What to include in the privacy notice’ below.
The Department of Education through <Insert 1> is collecting <Insert 2> in accordance with <Insert 3> in order to <Insert 4>. The information will only be accessed by <Insert 5>. <Some of this information/This information> may be given to <Insert 6> for the purpose of <Insert 7>. The information will not be given to any other person or agency unless <Insert 8>.
What to include in the privacy notice
When drafting the privacy notice in accordance with the IP Act (IPP 2), include:
Insert 1 name of business unit or school
Insert 2 type/s of information being collected e.g. ‘your personal information’
Insert 3 legislation requiring or allowing for collection of the information e.g. Education (General Provisions) Act 2006 (Qld) or Education and Care Services Act 2013 (Qld)
Insert 4 why the information is being collected (e.g. the business unit or school’s purpose for collection) [Our control]
Insert 5 who will use the information
Insert 6 who the information will, or may be, given to
Insert 7 purpose for which the information will be used once given to a third party (if known)
Insert 8 any other circumstances in which information will be given away (e.g. where required by law) and/or steps that will be taken by the business unit or school if it is proposed to give the information to anyone other than the person or agency listed in ‘Insert 6’ above (such as asking for the person’s consent).
Example of privacy notice
The following can be used when personal information is being collected and will be retained within Australian legal jurisdiction.
The Department of Education through {name of School} is collecting your personal information in accordance with _{section XX of the
In the case of a survey where data is stored on overseas servers use:
The Department of Education through {name of school} is collecting your personal information in accordance with _{section XX of the
Presenting the privacy notice
A privacy notice may be presented in a form which suits the circumstances and the needs of the individual. For example, notices may be:
printed on collection forms, or attached to the form or given to the individual as a separate document
posters and/or pamphlets publicly displayed or available at the location where service is provided
part of an electronic log-in process to an ICT system or service
a verbal script used by employees who manage phone enquiries
a website privacy notice on a departmental web pages
as part of a disclaimer in an email message
in languages other than English or involve the services of an interpreter
in a form that meets the needs of an individual who may be physically impaired or who does not have sufficient capacity to understand.
Presenting an online privacy notice
Ways in which a privacy notice may be presented online when using a non-departmental online ICT service include:
a paragraph on business unit or school web page which directs (by hyperlink) the individual, whose personal information will be collected, to the ICT service where the information is to be collected and used
a paragraph on a business unit or school web page which includes a mandatory field checked by the individual as acknowledgment of acceptance before they can proceed
a paragraph on a web page where collection is to occur e.g. on a service provider’s website if it can be configured specifically for use by the business unit or school
a paragraph on a form, or written notice attached to the form, which is being used to collect the personal information before being given to the service provider. This form may be downloaded from a website but managed as a paper form.
People may sign to acknowledge they have read and understand the privacy notice or click a mandatory field before being able to submit an online form.
Appendix C: Consent to transfer personal information overseas
Consent is obtained in accordance with Obtaining and managing student and individual consent procedure.
If the use of the ICT service is voluntary (for example, the responsible adult or participant can choose, or not choose, to become involved), the individual’s agreement can be obtained as part of the collection process and added to the example below.
This may also be used when the collection is voluntary and the personal information is collected from a responsible adult or older student and is to be transferred overseas.
The _
Appendix D: Definitions
Act means an Act of the Queensland Parliament, and includes:
a British or New South Wales Act that is in force in Queensland; and
an enactment of an earlier authority empowered to pass laws in Queensland that has received assent.
In an Act, a reference to ‘an Act’ includes the Act in which the reference is made. Act also includes statutory instruments under an Act.
Authorised Officer is an officer authorised by the Director-General to do something on the Director-General’s behalf. Not a delegate (e.g. Authorised Officers under the Human Resources Delegations).
Breach of privacy occurs where personal information about an individual has been recorded, stored, accessed, used or disclosed inappropriately (not in accordance with the law).
Confidentiality is a duty of confidentiality that arises when information is inherently confidential because of its nature (e.g. medical or disciplinary information about a student or employee) or where information is given in circumstances where there is an express acknowledgement of confidentiality or where an obligation of confidence is implied (e.g. counselling discussions between a guidance officer and a student or between an employee and an employee assistance provider), where there is a contractual obligation of confidence or where a statute imposes such an obligation.
Contracted service provider is a person or organisation who is engaged under a service arrangement with DoE, and is required to comply with the privacy principles (s.34 of the IP Act_)_, as if it were DoE.
Delegate is an officer of DoE delegated by the Director-General or Minister to exercise the Director-General’s or Minister’s powers under an Act - as if they were the Director-General or Minister (e.g. power to disclose information under s.426(4)(e) of the Education (General Provisions) Act 2006 (Qld)).
Disclose personal information means to cause information to appear, allow it to be seen, make it known or reveal it. This includes giving access to such information (e.g. allowing another person to view personal information on a DoE computer). For the purposes of the IP Act, an entity (the first entity) discloses personal information to another entity (the second entity) if:
the second entity does not know the personal information, and is not in a position to be able to find it out
the first entity gives the second entity the personal information, or places it in a position to find it out;
and
the first entity ceases to have control over the second entity in relation to who will know the personal
information in the future.
Employee is any permanent, temporary, seconded or contracted staff member, contractors and consultants, volunteers who assist staff with their professional duties, or other person who provides services on a paid or voluntary basis to the department that are required to comply with the department’s policies and procedures. Within schools this includes principals, deputy principals, heads of departments, head of curriculums, guidance officers, teachers and other school staff.
Information Access Officer is a person within the business unit or school that assists in the facilitation of DoE’s compliance and awareness with Right to Information (RTI) and Information Privacy (IP) reforms.
Information Privacy Principles (IPP) means the information privacy principles in Schedule 3 of the IP Act.
Legislative compliance means complying with the statute law e.g. Acts that govern DoE’s operations.
Personal information is information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Primary legislation is legislation that DoE is responsible for administering under an Administrative Arrangements Order, such legislation usually authorises and directs DoE’s operations.
QCAT means Queensland Civil and Administrative Tribunal.
Queensland State schools includes independent public schools.
Appendix E: Tables
Table one: Information Privacy Act 2009 (Qld) by example and DoE policy
Example
Role
Policy
Relationship with other Acts requiring access to or amendment of personal information
Where a provision in the Education (General Provisions) Act 2006 (Qld) (EGPA) allows access and amendment of personal information.
All employees
-
Relationship with other Acts prohibiting disclosure of information
The IP Act operates other than where another Act, for example, the EGPA prescribes collection, storage, handling, accessing, amendment, management, transfer, use and disclosure of personal information.
All employees
-
Transfer of personal information outside Australia
Student personal information is held in a non-departmental web service which is physically located overseas. DoE may do this if the individual agrees to the transfer; or the transfer is authorised or required under a law; or the agency is satisfied on reasonable grounds that the transfer is necessary to lessen or prevent a serious threat to the life, health, safety or welfare; or (2 or more of these) (i) the agency reasonably believes that the recipient of the personal information is subject to law, binding scheme or contract that effectively upholds principles for the fair handling of personal information that are substantially similar to the IPPS or, (ii) if the agency is the Health Department, the NPPs; the transfer is necessary for the performance of the agency’s functions in relation to the individual; (iii) the transfer is for the benefit of the individual but it is not practicable to seek the agreement of the individual, and if it were practicable to seek the agreement of the individual, the individual would be likely to give the agreement; (iv) the agency has taken reasonable steps to ensure that the personal information it transfers will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the IPPs or, if the agency is the Health Department, the NPPS.
All employees
See Appendix C: Consent to transfer personal information overseas
Obtaining and managing student and individual consent procedure.
Binding a contracted service provider to the privacy principles
A contracted service provider, as outlined in the service contract, is bound to abide by the IP Act, as if they were the agency. The agency entering into the service arrangement must take all reasonable steps to ensure that the contracted service provider is required to comply with the IP Act.
All employees/ business unit or school’s engaging and administering service contracts with contracted service providers
Purchasing and procurement procedure
Disclosure and Amendment of personal information under the IP Act
To be dealt with by the RTI Unit:
Information Release
Legal and Administrative Law Branch (LALB)
Department of Education
Email: rti@qed.qld.gov.au
Access to records held in schools procedure
Information privacy and right to information procedure
Disclosing personal information to law enforcement agencies procedure
Protections and offences
Under the IP Act there are prescribed protections against actions for defamation or breach of confidence – if a person has been given and access was required or permitted to be given under this Act; or the access was authorised by a decision-maker, in the genuine belief that the access was required or permitted to be given under this Act – protections are in place under the Act. Also as for publication. A person must not give a direction, either orally or in writing, to a person (an employee or officer of the agency) required or permitted to make a decision under this Act directing the person to make a decision the person believes is not the decision that should be made under this Act; a person must not, in order to gain access to a document containing another person’s personal information knowingly deceive or mislead a person exercising powers under this Act.
All employees
Table two: Documents not covered by the privacy principles
Covert activity
A document to the extent it contains personal information — (a) arising out of, or in connection with, a controlled operation or controlled activity under the Police Powers and Responsibilities Act 2000 (Qld) or the Crime and Corruption Act 2001 (Qld), or (b) arising out of, or in connection with, the covert undertaking of an operation, investigation or function of a law enforcement agency, or (c) obtained under a warrant issued under the Telecommunications (Interception and Access) Act 1979 (Cwlth).
Witness protection
A document to the extent it contains personal information about a person who is included in a witness protection program under the Witness Protection Act 2000 (Qld) or who is subject to other witness protection arrangements made under an Act.
Disciplinary actions and misconduct
A document to the extent it contains personal information arising out of — (a) a complaint under the Police Service Administration Act 1990 (Qld), part 7, or (b) a complaint, or an investigation of misconduct, under the Crime and Corruption Act 2001 (Qld).
Public interest disclosure
A document to the extent it contains personal information — (a) contained in a public interest disclosure under the Public Interest Disclosure Act 2010 (Qld), or (b) that has been collected in an investigation arising out of a public interest disclosure under the Public Interest Disclosure Act 2010 (Qld).
Cabinet and executive council
A document to the extent it contains personal information that is also the subject of the Right to Information Act 2009 (Qld), schedule 3, section 1, 2 or 3.
Commissions of inquiry
A document to the extent it contains personal information arising out of a commission of inquiry.
Other
A document that is — (a) a generally available publication, or (b) kept in a library, art gallery or museum for the purposes of reference, study or exhibition, or (c) a public record under the Public Records Act 2002 (Qld) in the custody of Queensland State Archives that is not in a restricted access period under that Act, or (d) a letter, or anything else, while it is being transmitted by post.
Table three: Entities to whom the privacy principles do not apply
Entities to which the privacy principles do not apply
1 The Assembly, a member of the Assembly, a committee of the Assembly, a member of a committee of the Assembly, a parliamentary commission of inquiry or a member of a parliamentary commission of inquiry.
2The Parliamentary Judges Commission of Inquiry appointed under the expired Parliamentary (Judges) Commission of Inquiry Act 1988.
3 A commission of inquiry issued by the Governor in Council, whether before or after the commencement of this schedule.
4 A parents and citizens association under the Education (General Provision) Act 2006 (Qld).
5 A grammar school to which the Grammar Schools Act 2016 (Qld) applies.
6 A government owned corporation or a subsidiary of a government owned corporation.
Entities to which the privacy principles do not apply in relation to a particular function
1 A court, or the holder of a judicial office or other office connected with a court, in relation to the court’s judicial functions.
2 A registry or other office of a court, or the employees of a registry or other office of a court in their official capacity, so far as its or their functions relate to the court’s judicial function.
3 A tribunal in relation to the tribunal’s judicial or quasi-judicial functions.
4 A tribunal member or the holder of an office connected with a tribunal, in relation to the tribunal’s judicial or quasi-judicial functions.
5 A registry of a tribunal, or the employees of a registry of a tribunal in their official capacity, so far as its or their functions relate to the tribunal’s judicial or quasi-judicial functions.
6 A quasi-judicial entity in relation to its quasi-judicial functions.
7 A member of, or the holder of an office connected with, a quasi-judicial entity, in relation to the entity’s quasi-judicial functions.
8 The employees of a quasi-judicial entity in their official capacity, so far as their functions relate to the entity’s quasi-judicial functions.