05 August 2013

Qld Privacy Regime

The Queensland Department of Justice and Attorney-General is seeking comment on a discussion paper [PDF] regarding the Information Privacy Act 2009 (Qld) as part of the statutory review of that enactment and associated Right To Information Act 2009 (Qld).

That review is to
  • decide whether the primary objects of the Acts remain valid; 
  • decide whether the Acts are meeting their primary object; 
  • decide whether the provisions of the Acts are appropriate for meeting their primary objects; and 
  • investigate any specific issues recommended by the Minister or the Information Commissioner.
The 22 page paper considers the Information Privacy Act’s privacy provisions, ie those that regulate the collection, storage, use and disclosure of personal information by the state government. It asks the following questions -
  • 1. What would be the advantages and disadvantages of aligning the state Information Privacy Principles (IPPs) with the Australian Privacy Principles (APPs), or adopting the APPs in Queensland? 
  • 2. Does the IP Act inappropriately restrict the sharing of information? If so, in what ways? Do the exceptions need to be modified? 
  • 3.  Should the definition of personal information in the IP Act be amended to bring it into line with the definition in the Commonwealth Privacy Amendment Act 2012
  • 4. Should government owned corporations in Queensland be subject to the Queensland’s IP Act, or should they continue to be bound by the Commonwealth Privacy Act? 
  • 5. Should s 33 be revised to ensure it accommodates the realities of working with personal information in the online environment? (Section 33 restricts the circumstances under which personal information can be transferred outside Australia by Queensland Government agencies - agencies are required to consider whether personal information will be transferred out of Australia and may only transfer personal information out of Australia where one of a number of exceptions applies, eg "the agency is satisfied on reasonable grounds that the transfer is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual, or to public health, safety or welfare")
  • 6. Does s 33 present problems for agencies in placing personal information online? 
  • 7. Should an ‘accountability’ approach be considered for Queensland? 
  • 8. Should the IP Act provide more detail about how complaints should be dealt with? 
  • 9. Should the IP Act provide more flexibility about the timeframe for complaints to the OIC to be lodged? 
  • 10. Are additional powers for the Information Commissioner to investigate matters potentially subject to a compliance notice necessary? 
  • 11. Should a parent’s ability to do things on behalf of a child be limited to Chapter 3 access and amendment applications? 
  • 12. Should the definition of ‘generally available publication’ be clarified? Is the Commonwealth provision a useful model? 
  • 13. Should the reference to ‘documents’ in the IPPs be removed; and if so how would this be regulated? 
  • 14. Should IPP 4 be amended to provide, in line with other IPPs, that an agency must take reasonable steps to ensure information is protected against loss and misuse? ("IPP 4 provides that an agency having control of a document containing personal information must ensure that the information is protected against loss and misuse etc. The strict requirement in IPP4 means that there is no element of reasonableness or a requirement to take reasonable steps as is the case in the other IPPs. In effect, an agency would be responsible for a breach of IPP 4 where, for example, an employee simply steals personal information, even where all possible measures have been taken to keep the information secure.")
  • 15. Should the words ‘ask for’ be replaced with ‘collect’ for the purposes of IPPs 2 and 3?