Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 2 (QPPs 5-10)

What you need to know

• Privacy reforms to the Information Privacy Act 2009 (Qld) are expected to commence on 1 July 2025. The reforms will introduce new Queensland Privacy Principles (QPPs) that replace the existing Information Privacy Principles and the National Privacy Principles.
• Under QPP 5, agencies must take reasonable steps to notify individuals of certain details when personal information is being collected.¹
• QPP 6 is concerned with, the use or disclosure of personal information and provides exceptions allowing the use and disclosure of personal information for a secondary purpose.²
• For the purposes of QPP 10, agencies must maintain the quality of personal information.³

What you need to do

• Agencies should be aware of the privacy reforms and implement practices, procedures and systems to ensure compliance with the new QPPs.
• Agencies should only disclose information for the primary purpose for which it was collected, unless an exception applies.
• An agency must ensure that the personal information it collects and discloses is accurate, up-to-date, and complete.
• Agencies should ensure they have processes in place to assist with notifying individuals when their personal information is being collected.

On 4 December 2023, the Queensland Parliament assented to the Information Privacy and Other Legislation Amendment Act 2023 (Qld), with privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) expected to commence on 1 July 2025. You can read more about that here.

Under the IP Act, the Queensland Privacy Principles (QPPs) will replace the existing Information Privacy Principles (which apply to non-health agencies) and the National Privacy Principles (which apply to health agencies). QPPs will apply to all agencies subject to the IP Act. The QPPs are based on the Australian Privacy Principles (APPs) under federal privacy legislation. However, APPs 7-9 do not have corresponding QPPs – the numbering is kept to ensure consistency.

The Office of the Information Commissioner Queensland (OICQ) has released guidelines to help agencies prepare for the changes to the IP Act (IPOLA Guidelines)⁴. The IPOLA Guidelines explain how to apply and interpret the QPPs.

This article examines QPPs 5 to 10. Agencies should understand and adhere to the QPPs in order to comply with the amended IP Act.

QPP 5

Core Obligations

Agencies that collect personal information must take reasonable steps to inform the individual of the following matters (together, QPP 5 Matters):

a. identity and contact details of the agency and the QPP privacy policy;

b. the fact and circumstances of the collection;

c. whether the collection was required or authorised by law or order, and the details of this law or order;

d. the purpose/s of collection;

e. the consequences (if any) if the personal information is not collected;

f. the usual disclosure the entity makes of this kind of personal information, including overseas disclosure; and

g. information about the agency's QPP privacy policy including how to access and amend personal information held.⁵

This obligation applies:

• irrespective of whether the personal information is collected directly from the individual or from a third party; and
• to solicited personal information (see QPP 3 discussed in our previous IPOLA article here), and to any unsolicited personal information which is not de-identified or destroyed under QPP 4 discussed here.

Agencies should take reasonable steps to inform the individual of the QPP 5 matters before or when collecting personal information directly from the individual. If this is impracticable, then reasonable steps should be taken as soon as practicable after the information has been collected. However, agencies are not obligated to provide a formal QPP 5 notice, and notice can occur using any appropriate method.⁶

What are reasonable steps?

What constitutes reasonable steps depends on the specific circumstances of the collection. To determine whether steps are reasonable agencies should consider:

• the sensitivity of the information, as defined by the IP Act;⁷
• any adverse consequences for the individual, arising from the collection;
• whether an individual may find the QPP 5 Matters difficult to understand; and
• any practical limitations – noting that agencies cannot avoid their obligations under QPP 5 solely because of inconvenience, time constraints or costs.

The IPOLA Guidelines provide examples of reasonable steps in certain circumstances for the purposes of a QPP 5 notice:⁸

QPP 5 obligation is not absolute

QPP 5 requires an agency to take reasonable steps to notify individuals of QPP 5 Matters only where it is reasonably practicable.⁹  This is an objective test. Agencies should document their assessment in a privacy impact assessment.¹⁰

The IPOLA Guidelines provide examples where notification may not be practicable. This can be accessed here.

Where an agency determines there are no reasonable steps it can take to notify individuals of QPP 5 Matters, IPOLA Guidelines suggest it should still endeavour to inform individuals of:

• some, if not all, of the QPP 5 Matters;
• the agency's privacy practices; and/or
• its QPP policy.

QPP 6

Core Obligations

Generally, agencies can only use and disclose personal information for the primary purpose for which it was collected. However, QPP 6 permits use and disclosure of personal information for other secondary purposes or in certain other circumstances.¹¹  QPP 6.1 covers use and disclosure of information where an individual has consented, and QPP 6.2 sets out exceptions that permit the use or disclosure of information without consent.

Use or disclosure for a secondary purpose with consent – QPP 6.1(a)

An agency may use or disclose personal information for a secondary purpose if the individual would reasonably expect the agency to use or disclose the information for the secondary purpose, and:

• for sensitive information, the secondary purpose is directly related to the primary purpose; or
• for all other personal information, the secondary purpose is related to the primary purpose.

Under the QPPs, expressed or implied consent must be valid. However, the IPOLA Guidelines recommend agencies should seek express consent where possible;¹²  especially when dealing with sensitive or privacy-invasive personal information .

For consent to be valid:

• the individual must have the capacity to agree;
• the individual's consent must be voluntary, current and specific;
• the individual must have been adequately informed before giving consent; and
• the individual must hold the capacity to understand and communicate their consent.

Use or disclosure for a secondary purpose without consent – QPP 6.2

QPP 6.2 contains several exceptions that permit the use or disclosure of personal information for secondary purposes, without an individual's consent. These include:

• where the individual would reasonably expect use/disclosure for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose;
• the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order;
• a permitted general situation exists in relation to the secondary use or disclosure;
• the agency is a health agency, and a permitted health situation exists in relation to the secondary use or disclosure;
• an agency reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, a law enforcement agency;
• ASIO has asked the agency to disclose the personal information; or
• the secondary use or disclosure is necessary for public interest research or statistical purposes.

Exception to use or disclose where reasonably expected

Below is the criteria required for application of this exception:¹³

Authorised by law or court order exception

Agencies can collect, use, or disclose personal if required or authorised by a court or tribunal.¹⁵  This can include responding to a subpoena or complying with a court order as per QPPs 3.4(a), 3.6(a)(ii), and 6.2(b)).¹⁶

Natural justice exception

Personal information may be used and disclosed where required or authorised under Australian Law, including common law.¹⁷ This extends to disclosures necessary to afford natural justice - the right to be informed of, and respond to, information used in a decision that adversely affects an individual. Agencies are not required to use or disclose all relevant material. Rather, the agency is only required to use or disclose enough information about the material, provided it is credible, relevant and significant to the adverse finding, to allow the recipient to respond effectively. Agencies are obligated to remove or hold back disclosing any irrelevant personal information.¹⁸

The onus is on the agency to justify the necessity of the use or disclosure. If natural justice can be afforded using de-identified information, personal information must not be disclosed.

Permitted general situations exceptions

There are certain permitted general situations where QPPs 3 and 6 do not apply. In these cases, agencies can collect, use, or disclose personal information to:

• prevent a serious threat to life, health, or safety where it is unreasonable or impracticable to obtain the individual's consent first (see QPPs 3.4(a) and 6.2(c));¹⁹
• investigate unlawful activity or serious misconduct related to the agency's functions or activities such as internal fraud (see QPPs 3.4(b) and 6.2(c));²⁰
• provide assistance in locating a missing persons, provided it complies with guidelines issued by the Information Commissioner under QPPs 3.4(c) and 6.2(c);²¹
• establish, exercise or defend a legal or equitable claim (see QPP 3.4(d) and QPP 6.2(c));²²  or
• conduct a confidential alternative dispute resolution process under QPP 3.4(e) and QPP 6.2(c).²³

In relation to investigating unlawful activity or serious misconduct, an agency must reasonably believe that use or disclosure is necessary to take appropriate action.²⁴ This is an objective test, considering what a reasonable person, properly informed, would expect in the circumstances.

Collection use or disclosure of health information exception

Health agencies may collect, use and disclose personal information which is health information for research or for statistical data relevant to public health and/or safety.²⁵ These are considered 'permitted health situations'.²⁶

Under QPP 3.4(c), health agencies can collect health information if the information is necessary to provide a health service to an individual.²⁷ This includes collecting family or social medical history if it is deemed necessary.

Additionally, health agencies are permitted to use or disclose health information for public health research or statistical purposes, provided the research is conducted according to guidelines approved by the chief executive of the health department.²⁸

Health agencies can also collect health information for the management, funding, or monitoring of a health service. Examples include using patient data to conduct a study on the effectiveness of a new treatment or monitoring the spread of a contagious disease.

Law enforcement agencies and activities exception

QPP 6.2(e) allows an agency to use or disclose personal information for a secondary purpose if it is reasonably necessary for enforcement-related activities conducted by a law enforcement agency.²⁹ This could include sharing information with another law enforcement agency to assist in an investigation or using personal information to track down a suspect. When personal information is used or disclosed under this provision, QPP 6.5 mandates that the agency make a written note of the use or disclosure.³⁰

Disclosure to ASIO

Under QPP 6.2(f), an agency may be asked to disclose personal information by ASIO.

Use and disclosure for public interest research

Under QPP 6.2(g), personal information may be used or disclosed for research or statistical analysis in the public interest if:

• it is necessary for the research or analysis;
• the information will not be published in an identifiable form;
• it is impracticable to obtain the individuals' consent; and
• if disclosed to another entity, that entity is bound not to further disclose the information – this can be achieved by way of contract.³¹

It is generally preferred that use of personal information for research is done so with consent or reasonable awareness of the individual. Agencies that collect or hold information with research value should contemplate potential future research needs and where appropriate, build this into the information they provide under QPP 5.

QPP 10

Core Obligations

QPP 10 requires agencies to take reasonable steps to ensure personal information collected and disclosed is accurate, up to date, complete and relevant to the purpose of use or disclosure.

Descriptions for the requirements under QPP 10 are set out in the table below:

What are reasonable steps?

Considering whether steps are reasonable for the purposes of QPP 10 will depend on the circumstances at hand. The IPOLA guidelines list factors that may be considered in making this determination, which can be found here.

In some instances, agencies may find that there are no reasonable steps that that are available. It is up to the agency to establish this.

Agencies that regularly collect personal information from a third party should implement practices, procedures and/or systems to ensure the quality of personal information. This may include entering into contractual arrangements that procure the third party to take appropriate measures to ensure the quality of personal information collected by the agency, and/or undertaking due diligence of the third party's quality practices prior to collection.³³

Look out for our next article in the IPOLA Guidelines Series on QPPs 11-13.

Want to know more?

• Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 1 (QPPs 1-4) (29 April 2025)
• Business Insight – Queensland's IPOLA Guidelines – New Mandatory Notification Data Breach Scheme (10 April 2025)
• Business Insight – RTI Reform is coming to Queensland – Part 2 (26 March 2025)
• Business Insight – RTI Reform is coming to Queensland – Part 1 (11 March 2025)
• Business Insight – Queensland's IPOLA Guidelines – Privacy Self-Assessment Guide (27 February 2025)
• Business Insight – New Queensland Privacy and RTI bill is here (19 October 2023)

Authors: Clare Doneley, Partner; Jasneet Birdi, Associate; Chanel Gray, Associate; Alex White, Associate and Tanisha Chadha, Graduate.