Business Insight

Queensland's IPOLA Guidelines – Queensland Privacy Principles – Key Concepts

12 June 2025

Privacy reforms to the Information Privacy Act 2009 (Qld) are expected to commence on 1 July 2025. The reforms will introduce new Queensland Privacy Principles (QPPs) that replace the existing Information Privacy Principles and the National Privacy Principles.

In this article we examine key privacy concepts that agencies should understand and adhere to in order to comply with the amended IP Act and RTI Act.

On 4 December 2023, the Queensland Parliament assented to the Information Privacy and Other Legislation Amendment Act 2023 (Qld) (IPOLA Act), amending the Information Privacy Act 2009 (Qld) (IP Act) and Right to Information Act 2009 (Qld) (RTI Act). You can read more about that here. This article examines key privacy concepts that agencies should understand and adhere to in order to comply with the amended IP Act and RTI Act.

Personal information

The concepts of personal information and sensitive information are crucial for agencies to understand and engage with in order to effectively comply with the IP Act.

Definition of personal information

The IPOLA Act will amend the definition of personal information to be:

"information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion – whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not."¹

This definition has been adjusted to align with federal privacy legislation, replacing the previous definition of personal information being that a person's identity is 'apparent, or can be reasonably ascertained' with 'an identified individual or an individual who is reasonably identifiable'.

Common examples of personal information under the new definition include:

name, signature, address, phone number, date of birth;
bank details and employment details;
medical records; and
commentary or opinions about the individual.²

De-identification of personal information

In certain circumstances, the QPPs will require agencies to de-identify personal information.³ De-identification involves amending personal information so it is no longer about an identified individual, or an individual who is reasonably identifiable.⁴

It is crucial for agencies to recognise that de-identified data can still be at risk of re-identification, particularly when it is linked with external information. This may lead to a breach of the QPPs.⁵ Therefore, agencies should manage re-identification risks effectively to protect an individual's personal information. Given the technical complexity of de-identification, agencies may need to seek specialist legal and technical advice.

Considerations for agencies⁶

The following should be considered for the purposes of determining whether information is 'personal information' within the meaning of the IP Act.

Issue	Consideration
Identifiability	Agencies should determine if an individual can be directly or reasonably identified from the information, considering that an individual is reasonably identifiable if additional steps, such as cross-referencing with other sources, can reveal their identity. Agencies should also evaluate if there is a sufficient link between the information and the individual, as metadata or coded data may still be considered personal information if it can be linked to an individual.
Recorded information	Agencies should be aware that personal information does not need to be recorded in material form. It can be verbal, written, communicated through sign language or spoken. For personal information recorded in a material form, the scope of what is "material form" is wide. It can include written documents, emails, images, videos, sounds, or can be discoverable from a physical object such as DNA in a blood sample.
Deceased individuals	The IP Act does not consider information about a deceased person as personal information, unless it also includes details about living individuals. However, exceptions under the RTI Act allow agencies to treat information about deceased individuals as personal information.⁷

Definition of sensitive information

Sensitive information is a category of personal information that includes information about an individual's:

racial or ethnic origin;
political or religious affiliations;
membership of a professional or trade association;
sexual orientation or practices;
criminal or health records; or
biometric and genetic information.⁸

Agencies must comply with Queensland Privacy Principles (QPPs) 3 and 6 when collecting, using and disclosing sensitive information. These principles ensure that sensitive information is collected only when necessary and is used or disclosed in a manner consistent with the purpose for which it was collected.

You can find our article about it here.

Use and disclosure of personal information

Key principles of use and disclosure

Use and disclosure of personal information are important concepts for agencies to consider under the IP Act to ensure legal compliance, protect individual privacy and maintain public trust.

Under the IP Act, an agency uses personal information if it:

manipulates, searches or otherwise deals with the personal information;
takes the information into account in the making of a decision; or
transfers the information from a part of the entity having particular functions to a part of the entity having different functions.⁹

This list is not exhaustive. Notably, "disclosure" is a different legal concept to "use" under the IP Act.¹⁰

An agency discloses personal information when it gives personal information to another entity or places it in a position to find it out and:¹¹

the second entity did not previously know and could not have discovered the information independently; and
the agency loses control over who can access the personal information.¹²

Non-exhaustive examples that would constitute disclosure of personal information include:

directly communicating personal information to another entity (e.g., via email or phone);
publishing personal information in a publicly accessible format (e.g., on a website);
granting a third party access to a database containing personal information; or
failing to adequately secure its systems, inadvertently exposing personal information.¹³

Elements for determining disclosure

The following considerations are relevant for the purposes of determining whether disclosure of personal information has occurred or may occur.

Element	Description
Second entity's knowledge	Agencies should verify whether the second entity already knows the personal information or can obtain it independently. If so, sharing the information does not constitute disclosure.
Second entity's ability to discover the information	Agencies should assess whether the second entity has a reasonable existing mechanism or relationship that allows it to access the personal information. It is not sufficient that the second entity can ask the individual for the information.
Loss of control over the information	If an agency cannot restrict access, prevent further sharing, enforce security measures or require the return or destruction of information by the second entity, disclosure has occurred. However, if an agency retains control over how the second entity handles the personal information, then the action is not considered a disclosure under the IP Act.

Consent and agency obligations

Consent is a key concept under the IP Act, which involves giving an individual control over and knowledge about what is being done with an individual’s personal information.

While consent can be express or implied, best practice is for agencies to seek express consent, especially when dealing with sensitive information. Agencies bear the onus of proving implied consent, which requires a reasonable inference from the individual's actions.¹⁴ This is an objective test. Agencies will be in a better position to establish implied consent where:

individuals are likely to have received and read the consent information; and
opt-out options are clear, prominently displayed and easily exercised with minimal consequences (e.g., no financial costs or effort required by the individual).

In addition, past consent does not automatically apply to new uses of personal information, and an individual's silence should not be construed as consent.¹⁵

Requirements for valid consent¹⁶

Below are the elements agencies should consider to determine whether an individual has provided valid consent, and thus, whether agencies can rely on such consent.

Element	Description
Informed	Agencies must ensure individuals understand what information is collected, how it will be used, who will receive it, and the consequences of consenting or not. This needs to be explained in plain language – incorrect or misleading information may render the consent invalid.
Voluntary	Agencies must ensure individuals have a genuine opportunity to provide or withhold consent without coercion or undue influence. Agencies should inform individuals about: alternative options available if consent is refused; the seriousness of potential consequences for refusing consent; and any adverse effects on the individual's associates if consent is not given.
Current	Agencies must confirm consent is current before relying on it. When seeking consent, agencies should inform individuals of the period for which their consent remains valid in the absence of a material change of circumstances.
Specific	Agencies should avoid broad consent statements and separate each use or disclosure so individuals can consent to each independently. As a general rule, the more sensitive or privacy-invasive the information, the more specific the consent must be. If not, the consent may be invalid and this could result in a breach of the IP Act.
Capacity	Agencies can presume an individual has the capacity to consent unless there are indicators suggesting otherwise. Factors that may impact capacity include age (noting that the IP Act does not specify a minimum age for privacy decisions), disability, temporary incapacity, and language barriers. Capacity means an individual is able to: understand the nature of the consent decision; form a reasoned judgement; and communicate their decision. If an individual does not meet these criteria, agencies should assess whether a legally authorised representative can provide consent on their behalf.

Agencies must provide individuals with a simple way to withdraw consent and clearly inform them of any resulting consequences. Withdrawal applies to future actions but does not affect past disclosures.¹⁷

Practicable and impracticable

The words 'practicable' and 'impracticable' are used throughout the QPPs.

Practicable is defined as 'capable of being done', especially with the available means or with reason, meaning it is feasible to be done.¹⁸ Determining whether something is practicable involves considering all the circumstances surrounding the situation. However, it is not sufficient to consider that something is not practicable merely because it is inconvenient, costly or difficult. While these factors, and the severity of them, can be relevant in determining practicability, the fact that a practice is made slightly more onerous is not sufficient to consider it impracticable.¹⁹

Several factors could render an action impracticable. These include:

if meeting the standard or principles would increase costs to an unworkable extent;
if adhering to the standard would render a legitimate and lawful action pointless;
if the action in question is in the public interest, but would be made extremely difficult or impossible by meeting the standard;
if meeting the standard would endanger the health or safety of an individual or compromise an investigation into a breach of the law; or
if the action would be contrary to public interest.²⁰

Exclusions

Generally available publication

The QPPs do not apply to generally available publications (GAPs),²¹ which include magazines, books, articles, newspapers or other publications available to the public either for free or for a fee.²²

A publication will be generally available to the public if it is equally accessible to all, without needing special interest or standing.²³ However, documents released under the RTI Act are not considered GAPs, unless an agency uploads them to a disclosure log, or the applicant publishes them online.²⁴

If an agency copies personal information from a GAP into another document, the QPPs apply to the new document.²⁵

If an individual provides personal information for publication in a GAP, the QPPs may not apply.²⁶

Want to know more?

Business Insight – Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 3 (QPPs 11-13) (29 May 2025)
Business Insight - Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 2 (QPPs 5-10) (13 May 2025)
Business Insight - Queensland's IPOLA Guidelines – Queensland Privacy Principles – Part 1 (QPPs 1-4) (29 April 2025)
Business Insight – Queensland's IPOLA Guidelines – New Mandatory Notification Data Breach Scheme (10 April 2025)
Business Insight – RTI Reform is coming to Queensland – Part 2 (26 March 2025)
Business Insight – RTI Reform is coming to Queensland – Part 1 (11 March 2025)
Business Insight – Queensland's IPOLA Guidelines – Privacy Self-Assessment Guide (27 February 2025)
Business Insight – New Queensland Privacy and RTI bill is here (19 October 2023)

Author: Clare Doneley, Partner; Jasneet Birdi, Associate; Chanel Gray, Associate and Tanisha Chadha, Graduate.

Section 12 of the IP Act.
Office of the Information Commissioner Queensland, IPOLA Guideline on Personal and Sensitive Information page 2 <IPOLA Guideline – Key privacy concepts and sensitive information>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Privacy and De-identified Data page 1 <IPOLA Guideline – Privacy and de-identified data>.
Schedule 5 of the IP Act.
Office of the Information Commissioner Queensland, IPOLA Guideline on Privacy and De-identified Data page 2 <IPOLA Guideline – Privacy and de-identified data>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Personal and Sensitive Information pages 3-7 <IPOLA Guideline – Key privacy concepts and sensitive information>.
Section 37 of the RTI Act.
Schedule 5 of the IP Act.
Section 23(3) of the IP Act.
Section 23(4) of the IP Act.
Section 23(1) of the IP Act.
Section 23(2) of the IP Act.
Office of the Information Commissioner Queensland, IPOLA Guideline on Use and Disclosure, page 3 <IPOLA Guideline – Key privacy concepts use and disclosure>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Consent page 2 <Key privacy concepts consent>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Consent page 3 <Key privacy concepts consent>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Consent pages 1-6 <Key privacy concepts consent>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Consent page 6 <Key privacy concepts consent>.
Macquarie Dictionary.
Office of the Information Commissioner Queensland, IPOLA Guideline on Practicable and Impracticable page 1 <IPOLA Guideline – Practicable and Impracticable>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Practicable and Impracticable page 2 <IPOLA Guideline – Practicable and Impracticable>.
Schedule 1, section 7(a) of the IP Act.
Schedule 5 of the IP Act.
Office of the Information Commissioner Queensland, IPOLA Guideline on Generally Available Publications page 2 <Key Privacy Concepts – generally available publication>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Generally Available Publications page 2 <Key Privacy Concepts – generally available publication>.
Office of the Information Commissioner Queensland, IPOLA Guideline on Generally Available Publications page 2 <Key Privacy Concepts – generally available publication>.
Section 28 of the IP Act.