Business Insight

Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 1 (QPPs 1-4)

By Clare Doneley

29 April 2025

Share Share
building columns
Share

    What you need to know

    • Privacy reforms to the Information Privacy Act 2009 (Qld) are expected to commence on 1 July 2025. The reforms will introduce new Queensland Privacy Principles (QPPs) that replace the existing Information Privacy Principles and the National Privacy Principles.
    • Under QPP 1, agencies must maintain a clearly expressed and up-to-date privacy policy that is available to individuals in an appropriate form.
    • Under QPP 2, agencies must provide individuals with the option of anonymity or pseudonymity, unless exceptions apply.
    • For the purposes of QPP 4, agencies must know how to determine whether personal information is unsolicited information and how to deal with it.

    What you need to do

    • Agencies should be aware of the privacy reforms and implement practices, procedures and systems to ensure compliance with the new QPPs.
    • Agencies should prepare and regularly review their privacy policies.
    • An agency must ensure that personal information is only collected where it is reasonably necessary for, or in direct relation to, one or more of the agency's functions.
    • Agencies should ensure they have processes in place to assist with the identification and management of unsolicited personal information.

    On 4 December 2023, the Queensland Parliament assented to the Information Privacy and Other Legislation Amendment Act 2023 (Qld), with privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) expected to commence on 1 July 2025. You can read more about that here.

    Under the IP Act, the Queensland Privacy Principles (QPPs) will replace the existing Information Privacy Principles (which apply to non-health agencies) and the National Privacy Principles (which apply to health agencies). QPPs will apply to all agencies subject to the IP Act.

    The Office of the Information Commissioner Queensland (OICQ) has released guidelines to help agencies prepare for the changes to the IP Act (IPOLA Guidelines).1  The IPOLA Guidelines explain how to apply and interpret the QPPs. Importantly, under the IP Act, the Minister will have the power to endorse QPP codes and guidelines for approval by regulation. QPP codes will state how the QPPs are to be applied and may impose additional QPP requirements.3  For clarity, the IPOLA Guidelines that are discussed in this article are not QPP codes within the meaning of the IP Act, and to date no QPP codes have yet been approved under regulation.

    Overview of the QPPs

    The QPPs are based on the Australian Privacy Principles (APPs) under federal privacy legislation. However, some corresponding APPs having not been incorporated as QPPs - these are related to marketing, cross-border disclosure and government-related identifiers.4

    This article examines QPPs 1 - 4. At a high-level:

    • QPP 1 is concerned with the implementation of practices to ensure the management of personal information in an open and transparent way.5
    • QPP 2 requires individuals to be provided with an option to interact anonymously or using a pseudonym unless it is impracticable to do so or in other circumstances prescribed at law.6
    • QPP 3 is concerned with an agency's collection of solicited personal information.7
    • QPP 4 sets out requirements for agencies when dealing with unsolicited personal information.8

    QPP 1

    Core Obligations

    QPP 1 requires agencies to:

    1. Maintain a clearly expressed and up-to-date privacy policy (QPP Privacy Policy). QPP 1.4 includes the specifics of what must be contained in the QPP Privacy Policy.
    2. Take reasonable steps to make their QPP Privacy Policy available in an appropriate form and for no charge (for example, on a website), including upon receiving a request from an individual.
    3. Take reasonable steps to implement practices, procedures and systems that will:

    a) ensure the agency complies with the QPPs and any QPP code that binds the agency; and

    b) enables the agency to deal with related complaints and enquiries about the agency's compliance with the QPPs or any QPP code that binds the agency.9

    Both obligations 2 and 3 require the taking of 'reasonable steps' by agencies. What constitutes 'reasonable steps' will depend on the circumstances, including:

    • the nature of the personal information;
    • any possible adverse consequences for an individual if their personal information is not handled in compliance with the QPPs; and
    • any practicable considerations, including the time and expense involved in implementing the relevant steps.10

    Privacy Policy Content

    Based on OICQ Guidelines, an agency's QPP Privacy Policy must explain how it manages personal information it collects, tailored to its specific practices.11 The policy should also outline the information flows associated with personal information it collects. Where information of a specific class of persons is handled in a way that differs from others, for example, if an agency adopts different practices for managing the personal information of children, this should be explained.12

    QPP 1.4 requires the policy to, at a minimum, include:

    • types of personal information collected and held;
    • how it is collected, stored, used and disclosed;
    • purpose for which it will be used;
    • processes for accessing, amending and complaining about breaches of the policy;
    • how complaints are handled; and
    • details of overseas disclosures, including likely recipient countries if practicable.13

    To improve transparency as between the QPP Privacy Policy and the data breach policy (which agencies must also implement), the IPOLA Guidelines recommends that each policy should be cross referenced.

    QPP 1.5 requires a QPP Privacy Policy to be made available free of charge and in an appropriate form. The IPOLA Guidelines recommend that, at a minimum, a QPP Privacy Policy should be accessible, easy to understand and navigate, avoid legalistic language, and only include information that is relevant to the agency's management of personal information.14

    Further, QPP 1.6 states that if a person requests a copy of an agency's QPP Privacy Policy in a particular form, the agency must take reasonable steps to provide the person with a copy in that form.

    Types of practices, procedures and systems

    The types of practices, procedures and systems an agency might introduce to comply with the QPPs will vary by agency. The IPOLA Guidelines outline a minimum list, including (but not limited to) commitments to conduct Privacy Impact Assessments, security systems to protection personal information from misuse, procedures to identify and respond to breaches. Agencies should take this into account when formulating their practices, procedures and systems.

    QPP 2

    Core Obligations

    QPP 2 requires agencies to provide individuals with the option of anonymity or pseudonymity, unless identification is mandated by law or anonymity and pseudonymity is impractical.15 This right should be made known to individuals where appropriate and clearly outlined in the QPP Privacy Policy.16

    It is important for agencies to understand the difference between anonymity and pseudonymity when determining their personal information handling obligations.

    Dealing 'anonymously' means:

    • the individual that deals with the agency cannot be reasonably identified; and
    • the agency does not request personal information or information that might identify the individual.17

    Dealing 'pseudonymously' means that the individual will provide the agency with a name or description instead of their actual name.18

    Under QPP 2, personal information should not be linked to a pseudonym except where authorised by law, it is impracticable to do so, or the individual has provided consent to linking the personal information.19

    Exceptions to obligation

    Agencies are not required to offer anonymous or pseudonymous options in the following circumstances:20

    Exception

    Description 

    When the agency is authorised or required by law to deal with identified individuals

     

    The authorisation or requirement must generally arise from law, or orders from the court or a tribunal. Discretion is only exercisable when the agency is authorised (but not required) to deal with an identified individual. The IPOLA Guidelines provide the following examples: 

    • processing an individual's application for an identity document; or
    • processing a claim for, or paying a benefit to an individual. 
     

    When it is impracticable for the agency to deal with individuals who have not identified themselves

     

    Agencies are not required to permit anonymity or pseudonyms where it is impracticable for identification not to occur. The IPOLA Guidelines offer examples such as: 

    • posting or delivering information or products, which typically requires an individual's address; and 
    • investigating complaints about an agency's handling of personal information, where knowing the complainant's identity is necessary to investigate the matter. 
     

    Where an exception applies, agencies must ensure they only collect the minimum necessary personal information required in the circumstances.21

    QPP 3

    Core Obligations

    QPP 3 governs the collection of solicited personal information by agencies.22 QPP 3 does not apply to unsolicited personal information, which should be dealt with in accordance with QPP 4.23

    To comply with QPP 3, agencies must ensure that:

    • collection of:
      • personal information is reasonably necessary for, or directly related to, one or more of their functions or activities; or
      • personal information that is sensitive information is consented to by the individual and the information is reasonably necessary for, or directly related to, one or more of their functions or activities (unless an exception applies) or an exemption applies;
    • personal information is collected lawfully and fairly; and
    • personal information is collected directly from the individual – unless the individual consents or the agency is required or authorised under law to collect from another person, or it is unreasonable or impracticable to do so.24

    Requirement

    Detailed description 

    Information reasonably necessary for, or directly related to, one or more of the agency's functions or activities 

    Agencies must only collect personal information, including sensitive information, that they need. It must be reasonably necessary for, or directly related to, their functions or activities. Agencies must identify these 'functions' by considering the instruments that confer or describe the agency's obligations and responsibilities.25 The IPOLA Guidelines outline that agency 'activities' will be related to its functions and include both incidental and support tasks such as human resourcing activities, corporate administration and public relations.26

    Determining what is 'reasonably necessary' for an agency's functions or activities involves assessing  what a reasonable person would consider is reasonably necessary.27 Notably, agencies bear the onus of demonstrating that a collection is reasonably necessary.28

    Where something is 'directly related' to a function or activity, this means there must be a direct connection between the personal information being collected and the function or activity.

    Collection by lawful means 

    Agencies must collect personal information, including sensitive information, in accordance with law. The IPOLA Guidelines indicate that this will include civil, criminal and common law, but generally does not include a breach of contract.29

    Collection by fair means 

    Typically, collection of personal information, including sensitive information, will be fair where the collection "does not involve intimidation or deception or is not unreasonably intrusive".30

    Collection must occur directly from individual 

    Agencies must collect personal information that is not sensitive information about an individual, directly from the individual unless: 

    • the individual consents to the personal information being collected from someone other than the individual;
    • the agency is required or authorised by or under law to collect the information from a person other than the individual; or
    • it is unreasonable or impracticable for the entity to collect personal information only from the individual.31

    Collection of sensitive information must only occur with consent

    Sensitive information is a category of personal information that includes stricter requirements due the nature and sensitivity of that information and risk to the individual if mishandled. Unless a relevant exception applies, in addition to the requirements regarding collection being reasonably necessary for, or directly related to a  function or activities, agencies must only collect sensitive information with the individual's consent.32 Some of these exceptions include a permitted general situation and where collection is required or authorised under an Australian law, or by a court or tribunal. 

    QPP 4

    Core Obligations

    Unsolicited information refers to personal information that an agency receives without actively seeking it,33 meaning the agency took no active steps to collect it.34 Unsolicited information could include additional personal information supplied by an individual that was not requested, or information sent to an agency at the individual's own instigation (e.g. a petition). The IPOLA Guidelines also offer the following guidance in determining what may be 'unsolicited' personal information (emphasis added):

    Where it is unclear whether personal information is solicited or unsolicited, agencies should focus on the nature of the additional personal information and the connection it has with the agency’s request. If the agency cannot decide, it is generally safest to treat the personal information as unsolicited personal information and destroy or de-identify it if it is lawful and reasonable to do.35

    Under QPP 4, agencies must assess unsolicited personal information to determine whether the agency could have solicited the information (and therefore is subject to QPP 3). The agency may use or disclose the personal information for the purposes of making this assessment, which should be made within a reasonable period – and while that depends on the circumstances, the IPOLA Guidelines state it should be done as promptly as possible.

    Separately, agencies should determine if the information is contained in a public record or not.36 If contained in a public record, the agency does not need to consider if the information could have been collected under QPP 3 – it must be handled in accordance with QPP 5-13 and the Public Records Act 2023 (Qld).

    If:

    • the agency decides the information would not have been permitted to be collected by it under QPP 3;
    • the information is not contained in a public record (which must be retained in accordance with the Public Records Act 2023 (Qld)); and
    • it is lawful and reasonable to do so,

    the agency is required to destroy or de-identify the personal information as soon as practicable.37 What timeframe is practicable may take into account technical and resource considerations, but an agency must justify any delay in destroying or de-identifying unsolicited personal information.

    In assessing if it is lawful and reasonable for an entity to destroy or de-identify unsolicited personal information, agencies must ensure any act is not criminal, illegal, or prohibited or prescribed by law.38 In determining reasonableness, an objective standard is to be deployed to the facts.39

    After an agency determines destruction or de-identification of unsolicited information is both reasonable and lawful, the agency must do so as soon as practicable.40

    Look out for our next article in the IPOLA Guidelines Series on QPPs 5-13.

    Want to know more?

    Authors: Clare Doneley, Partner; Alex White, Associate and Chanel Gray, Associate.

    1. IPOLA Guidelines by the Office of the Information Commissioner Queensland (Website).
    2. Information Privacy Act 2009 (Qld) chapter 3.
    3. Basic guide to the changes in the Information Privacy Act 2009 Guidance Note 2024 page 3 ('Basic QPP Guidance Note').
    4. Basic QPP Guidance Note page 2.
    5. QPP 1 – Open and transparent management of personal information Guidance Note 2024 page 2 ('QPP 1 Guidance Note').
    6. Basic QPP Guidance Note page 2.
    7. Basic QPP Guidance Note page 2.
    8. Basic QPP Guidance Note page 2.
    9. QPP 1 Guidance Note pages 2-3.
    10. QPP 1 Guidance Note pages 2-3.
    11. QPP 1 Guidance Note page 4.
    12. QPP 1 Guidance Note page 4.
    13. QPP 1 Guidance Note page 5.
    14. QPP 1 Guidance Note pages 4.-5.
    15. QPP 2 – Dealing anonymously and pseudonymously with an agency Guidance Note 2024 pages 2-3 ('QPP 2 Guidance Note').
    16. QPP 2 Guidance Note pages 2-3.
    17. QPP 2 Guidance Note page 2.
    18. QPP 2 Guidance Note page 2.
    19. QPP 2 Guidance Note page 3.
    20. QPP 2 Guidance Note pages 4-5.
    21. QPP 2 Guidance Note pages 4-5.
    22. QPP 3 – Collection of solicited personal information Guidance Note 2024 page 2 ('QPP 3 Guidance Note').
    23. QPP 3 Guidance Note page 2.
    24. QPP 3 Guidance Note pages 2-4.
    25. QPP 3 Guidance Note page 3.
    26. QPP 3 Guidance Note page 3.
    27. QPP 3 Guidance Note page 4.
    28. QPP 3 Guidance Note page 4.
    29. QPP 3 Guidance Note page 5.
    30. QPP 3 Guidance Note page 6.
    31. QPP 3 Guidance Note pages 8-9.
    32. QPP 3 Guidance Note page 6.
    33. QPP 4 – Dealing with unsolicited personal information Guidance Note 2024 page 2 ('QPP 4 Guidance Note').
    34. QPP 4 Guidance Note page 2.
    35. QPP 4 Guidance Note page 3.
    36. QPP 4 Guidance Note page 2.
    37. QPP 4 Guidance Note pages 4-5.
    38. QPP 4 Guidance Note page 5.
    39. QPP 4 Guidance Note page 5.
    40. QPP 4 Guidance Note page 6.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts