Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 3 

What you need to know

Privacy reforms to the Information Privacy Act 2009 (Qld) are expected to commence on 1 July 2025. The reforms will introduce new Queensland Privacy Principles (QPPs) that replace the existing Information Privacy Principles and the National Privacy Principles.

In this article we consider obligations under QPP 11, QPP 12 and QPP 13.

• QPP 11 requires agencies to take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure.
• QPP 12 requires agencies to give an individual access to a document in their control, containing the individual's personal information, subject to the Right to Information Act 2009 (Qld).
• QPP 13 requires agencies to take reasonable steps to correct the personal information they hold to ensure that, having regard to the purpose for which it is held, it is accurate, up to date, complete, relevant and not misleading.

What you need to do

• Agencies should be aware of the privacy reforms and implement practices, procedures and systems to ensure compliance with the new QPPs.
• Agencies should only disclose information for the primary purpose for which it was collected, unless an exception applies.
• An agency must ensure that the personal information it collects and discloses is accurate,
  up-to-date, and complete.

On 4 December 2023, the Queensland Parliament assented to the Information Privacy and Other Legislation Amendment Act 2023 (Qld), with privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) expected to commence on 1 July 2025. You can read more about that here. This article examines Queensland Privacy Principles (QPPs) 11 to 13. Agencies should understand and adhere to the QPPs in order to comply with the amended IP Act.

QPP 11

Core Obligations

QPP 11 requires two key obligations, notably:

• agencies must take reasonable steps to protect the personal information they hold from misuse, interference, and loss, and from unauthorised access, modification or disclosure; and
• agencies must destroy or de-identify personal information once it is no longer needed for any purpose for which it could be used or disclosed under the QPPs.¹

Security of personal information

These terms are not defined in the IP Act and their meanings often overlap. However, the IPOLA Guidelines provides guidance on how to interpret the terms as follows:²

Reasonable steps

The reasonable steps an agency must take to ensure the security of personal information will depend on the circumstances, for example:³

• the amount and sensitivity of the personal information held;
• the possible adverse consequences for an individual if there is a breach and their personal information is not handled in accordance with the QPPs;
• the practical implications of implementing security measures, considering the time and cost involved (note: it is not enough for an agency to claim that a security measure is timely or costly for it to make the steps unreasonable); and
• whether a particular security measure is privacy invasive.

Destruction or de-identification of personal information

This obligation is subject to the provisions of the Public Records Act and/or any order of a court or tribunal requiring an agency to retain the information. If an agency chooses to keep personal information, it must genuinely expect future use or disclosure, actively considering if the information will be required for a permitted purpose. Retaining information 'just in case' is insufficient.

Generally, agency documents can only be destroyed or altered if the Public Records Act authorises it. The obligation for an agency to take reasonable steps to destroy or de-identify personal information will not apply to a document that must be retained under Australian law.⁴

The table below highlights the differences between de-identification and destruction of personal information:⁵

Notably, if personal information is stored on third-party hardware, the agency must take reasonable steps to verify that the information was destroyed/de-identified.

Putting personal information 'beyond use'

If an agency cannot irretrievably destroy personal information held in electronic format, it must take reasonable steps to put the information 'beyond use'. Personal information is considered beyond use if it is no longer available for use in the ordinary performance of the agency's functions. The agency must:

• not be able, and will not attempt, to use or disclose the personal information;
• not be able to give any other entity access to the personal information;
• apply appropriate technical, physical, and organisational security measures, including access controls, logs, and audit trails; and
• commit to taking reasonable steps to irretrievably destroy the personal information if or when this becomes possible.

Reasonable steps

The reasonable steps an agency must take to destroy or de-identify personal information for the purposes of QPP 11 will depend on the circumstances, for example:⁷

• the amount and sensitivity of the personal information held;
• the possible adverse consequences for an individual if their information is not destroyed or
  de-identified;
• the nature of the agency (its size, resources, and information storage methods);
• the agency’s information handling practices, such as how it collects, uses and stores personal information, including whether personal information handling practices are outsourced to third parties; and the practical implications of destroying or de-identifying information, considering the time and cost involved. Notably, it is not enough for an agency to claim that destroying or
  de-identifying information is timely or costly for it to make the steps unreasonable.

QPP 12

Core Obligations

QPP 12.1 provides a right to access personal information held by an agency. It mandates that agencies must provide access to personal information upon request, unless there are legal or confidentiality concerns that justify refusal. This principle operates alongside the Right to Information Act 2009 (Qld) (RTI Act).⁸

Under QPP 12.2, an agency is not required to give access to personal information if they would be authorised to refuse access under the RTI Act or another Australian law that provides for access to, or amendment of, documents.⁹

Access should not automatically be managed through formal RTI Act mechanisms; instead, agencies should consider providing access administratively when the circumstances are not contentious and there are no legislative or confidentiality barriers.¹⁰

QPP 13

Core Obligations

QPP 13.1 requires agencies to take reasonable steps to correct the personal information they hold to ensure that, having regard to the purpose for which it is held, it is accurate, up to date, complete, relevant and not misleading.

An agency is only required to take these reasonable steps if:

• it is satisfied, independent of any request, that personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which it is held; or
• the individual asks the agency to correct the information.

Agencies do not need to continuously check the personal information it holds. However, if it becomes aware that personal information is incorrect in the course of business, it must take reasonable steps to correct it.¹¹

QPP 13 operates alongside and is subject to, the amendment rights in the RTI Act and other laws that provide a right to amendment.¹² QPP 13 does not prescribe a particular mechanism for correction requests. Agencies can give effect to QPP 13 by ensuring compliance with the RTI Act and administrative mechanisms for correction.¹³

Where possible, personal information correction, should be managed administratively instead of through the formal RTI Act mechanisms. This should only be done where the information is not contentious, amending it would not breach legislative obligations, and amendment would not be refused under the RTI Act.¹⁴

Making a notation

If an agency refuses to correct personal information at an individual's request, the individual can ask the agency to provide a statement with the information to that effect.¹⁵ The agency must inform the individual of this option and, if requested, take reasonable steps to associate the statement in a way that makes it apparent to users.¹⁶ The statement should indicate that the information is inaccurate, out of date, incomplete, irrelevant, or misleading, and clarify whether it is based on the individual's assertion or the agency's inability to take reasonable steps to correct it.¹⁷

Being satisfied that personal information is incorrect

Being satisfied that personal information is incorrect does not always require detailed analysis; for instance, if an individual can correct their information through an online portal, no further steps may be needed. If more information is required to assess a correction request, the agency should clearly explain what is needed, why, and the consequences of not providing it, but should not place the entire burden on the individual.¹⁸ Agencies should be prepared to search their own records and other accessible sources, with the extent of investigation depending on the circumstances and potential adverse consequences for the individual.¹⁹

Reasonable steps to correct

Taking reasonable steps to correct personal information includes making appropriate additions, deletions or alterations to a record. In some circumstances, it may be appropriate to destroy or de-identify personal information if the agency is satisfied it is incorrect.²⁰ If there are no reasonable steps an agency can take, it can decline to correct personal information. Agencies should also have regard to:²¹

• the sensitivity of the information;
• the possible adverse consequences for an individual if a correction is not made;
• the practicability, including the time and cost involved (notably, it is not enough for an agency to claim that correcting information is timely or costly for it to make the steps unreasonable);
• the likelihood that the agency will use or disclose the personal information;
• the purpose for which the personal information is held; and
• whether the personal information is in the physical possession of the agency or a third party.

Contracted service providers

Contracted service providers are required to comply with the QPPs and are bound by section 35 of the IP Act. However, they are not subject to the RTI Act.²²

Agencies should ensure there are processes in place for individuals to access and correct their personal information held by bound contracted service providers.

This could be done by, for example:²³

• ensuring contracted service providers understand their access and correction obligations under QPP 12 and 13 and providing guidance; or
• by establishing in the contract that relevant documents remain under the control of the agency, which means individuals can apply to the agency for access to or correction of their information.

Compliance with the QPPs will require agencies to understand how some key concepts in the IP Act have been amended. Look out for our final article in the IPOLA Guidelines Series where we explain some of these key concepts.

Want to know more?

• Business Insight - Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 2 (QPPs 5-10) (13 May 2025)
• Business Insight - Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 1 (QPPs 1-4) (29 April 2025)
• Business Insight – Queensland's IPOLA Guidelines – New Mandatory Notification Data Breach Scheme (10 April 2025)
• Business Insight – RTI Reform is coming to Queensland – Part 2 (26 March 2025)
• Business Insight – RTI Reform is coming to Queensland – Part 1 (11 March 2025)
• Business Insight – Queensland's IPOLA Guidelines – Privacy Self-Assessment Guide (27 February 2025)
• Business Insight – New Queensland Privacy and RTI bill is here (19 October 2023)

Authors: Clare Doneley, Partner; Jasneet Birdi, Associate; Chanel Gray, Associate and Tanisha Chadha, Graduate.