Privacy Plan

Introduction

The Information Privacy Act 2009 regulates how public sector agencies and statutory bodies, such as the Office of the Queensland Ombudsman (QO), must manage personal information. It creates an obligation to comply with the 11 Information Privacy Principles (IPPs) which are contained in Schedule 3 to the Information Privacy Act. It sets out the conditions under which personal information may be transferred outside of Australia, and the rules regarding contracted service providers. Chapter 3 of the Information Privacy Act contains a right for individuals to access and amend their personal information.

In addition to the application of the IPPs, the Ombudsman Act 2001 prohibits disclosure of information obtained while performing a function under the Act unless the disclosure is for a specified purpose (ss 92 and 91A).

Application of this plan

This plan applies to:

• all QO employees, whether permanent, temporary or
• casual work experience placements and volunteers
• selection panel members involved in the recruitment of QO employees
• any person or entity engaged by the QO to provide services, information or advice.

This plan outlines the obligations on the QO and its employees in relation to the collection, management, use and disclosure of personal information held by the QO.

What is 'personal information'?

'Personal information' is defined in the Information Privacy Act as:

Information or an opinion including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

It is not necessary for the information to be sensitive or confidential. It is also not necessary for the information to disclose directly the identity of the individual. It is sufficient if their identity could be ascertained through a series of steps, for example, by combining several pieces of information.

What are the QO's obligations under the Information Privacy Act?

The IPPs apply to the QO and specify how personal information is to be collected, stored, secured, accessed, amended, used and disclosed. The 11 IPPs concern:

1. collection of personal information (lawful and fair)
2. collection of personal information (requested from individual)
3. collection of personal information (relevance etc.)
4. storage and security of personal information
5. providing information about documents containing personal information
6. access to documents containing personal information
7. amendment of documents containing personal information
8. checking of accuracy etc. of personal information before use by agency
9. use of personal information only for relevant purpose
10. limits on use of personal information
11. limits on disclosure.

IPPs 1-3: Collection of personal information

The QO can only collect personal information for a lawful purpose directly related to its functions and activities. The purpose for collection should be specific and current and the information must be complete and up-to-date. The QO must not collect information in a way that is unfair or unlawful, and the collection must not intrude unreasonably into the personal affairs of the person.

When personal information is being collected, the QO must take reasonable steps to inform the individual:

• the purpose of collecting the information
• whether the collection is authorised by or required under law
• any person, body or agency to whom the information is normally disclosed.

IPP 4: Security of personal information

The QO must ensure that the information it holds is protected by reasonable security safeguards against loss, unauthorised access, use, modification or disclosure, or any other misuse.

Contracts between the QO and external service providers must include provisions to protect personal information holdings.

IPPs 5-7: Access to and amendment of personal information

The Information Privacy Act requires that the QO provide individuals with access to their own personal information held by the QO, except if this is not permitted by law. The QO must take all reasonable steps to ensure the personal information held by the QO is accurate, relevant, complete, up to date and not misleading. The QO must also allow an individual to request amendment of any inaccurate, irrelevant, out-of-date, incomplete or misleading personal information.

The categories of personal information held by the QO are identified below, as are the processes for making an application to access or amend personal information.

IPPs 8-10: Use of personal information

Before the QO uses personal information contained in a document under its control, the QO must take reasonable steps to ensure that personal information is accurate, up-to-date, relevant and complete before using it.

The QO must not use personal information for any purpose other than the purpose for which it was collected, unless:

• the individual has expressly or impliedly agreed to the use
• there are reasonable grounds to believe that the disclosure is necessary in order to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, or public health, safety and welfare
• the use is required or authorised by law
• the use is reasonably necessary for certain law enforcement activities (see IPP 10(1)(d))
• the use is directly related to the purpose for which the information was obtained
• the use is necessary for research or statistical analysis in the public interest and certain preconditions are met (see IPP 10(1)(f)).

IPP 11: Disclosure of personal information

The QO must not disclose personal information to a third party unless one of the following exceptions applies:

• the individual is reasonably likely to be aware that the information is usually passed to the other entity
• the individual has expressly or impliedly agreed to the disclosure
• there are reasonable grounds to believe that the disclosure is necessary in order to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, or public health, safety and welfare
• the disclosure is authorised or required under a law
• the use is reasonably necessary for certain law enforcement activities (see IPP 11(1)(e) and (ea))
• the use is necessary for research or statistical analysis in the public interest and certain preconditions are met (see IPP 11(1)(f))
• the information is used for a commercial purpose involving the QO's marketing of anything to the individual, but only if it is satisfied on reasonable grounds that the considerations listed in IPP 11(4) are met.

Transferring information overseas

The Information Privacy Act specifically regulates the transfer of personal information to entities outside Australia.

Information can only be transferred outside Australia by the QO if:

• the person agrees to the transfer; or
• the transfer is authorised or required by law; or
• there are reasonable grounds to believe that the transfer is necessary in order to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, or public health, safety and welfare; or
• two or more of the following apply:
  • the recipient is subject to binding privacy obligations that are substantially similar to the IPPs
  • the transfer is necessary to perform the QO's functions in relation to the individual
  • the transfer is for the benefit of the individual and it is not possible to seek their consent, but if sought it would likely be given
  • reasonable steps have been taken to ensure the information is protected.

Third party service providers

If the QO enters into a contract or other arrangement for the provision of services associated with the performance of any of the QO's functions, the QO must take all reasonable steps to ensure that the service provider is required, in discharging its obligation under the contract or arrangement, to comply with the relevant obligations contained in the Information Privacy Act, as if it were the QO.

The QO must ensure that the contract or arrangement contains appropriate privacy clauses, or documents steps taken to require the contractor to comply with the Information Privacy Act.

Acts administered by the QO

The Ombudsman's jurisdiction, powers and functions are contained in the Ombudsman Act, which authorises the collection and use of personal information. The Ombudsman is also the oversight agency for the Public Interest Disclosure Act.

Categories of personal information collected by the QO and how the information may be used/disclosed

The types of personal information the QO may collect, and the ways in which that information may be used, are as follows:

• Personal information about complainants, third parties or officials obtained in the course of receiving, and responding to, inquiries about the Ombudsman Act or the jurisdiction of the Office

This information may comprise a wide range of personal information of any type. It is used in responding to, assessing or investigating inquiries or jurisdictional issues under the Ombudsman Act and the compilation of statistics for internal use or publication (in a de-identified form). Any employee with responsibility for receiving and responding to inquiries, or the associated administrative activities, and any employee responsible for supervising such activities, may have access to it.

The Ombudsman Act (ss 92 and 91A) restricts the disclosure of information related to an inquiry (or investigation) except for purposes permitted under the Act including purposes connected with the Ombudsman's performance of the functions of investigating complaints and helping agencies improve their administrative practice, and the publication of reports to agencies, Ministers and Parliament.

This information may be disclosed to the agency complained about in order to obtain that agency's response to the details of the complaint or to seek clarification or further information.

This information may, with the complainant's consent (where it is reasonably able to be obtained), be referred to another agency to deal with where necessary or appropriate.

• Personal information about complainants, third parties or officials received in the course of receiving, assessing and responding to complaints, and conducting investigations, under the Ombudsman Act

This information may comprise a wide range of personal information of any type. It is used in receiving, assessing and responding to complaints or conducting investigations under the Ombudsman Act and the compilation of statistics for internal use or publication (in a de-identified form). Any employee with responsibility for conducting, or assisting in, or supervising, the relevant investigation or associated administrative activities, may have access to it.

The Ombudsman Act (ss 92 and 91A) restricts the disclosure of information related to an investigation (or inquiry) except for purposes permitted under the Act including purposes connected with the Ombudsman's performance of the functions of investigating complaints and helping agencies improve their administrative practice, and the publication of reports to agencies, Ministers and Parliament.

This information may be disclosed to the agency complained about in order to obtain that agency's response to the details of the complaint or to seek clarification or further information.

• Personal information about complainants, third parties or officials received in the course of receiving and dealing with complaints referred to the Ombudsman from another agency

This information may comprise a wide range of personal information of any type. It is used in conducting investigations under the Ombudsman Act and the compilation of statistics for internal use or publication (in a de-identified form). Any employee with responsibility for conducting, or assisting in, or supervising, the relevant investigation or associated administrative activities, may have access to it.

The Ombudsman Act (ss 92 and 91A) restricts the disclosure of information related to an investigation (or inquiry) except for purposes permitted under the Act including purposes connected with the Ombudsman's performance of the functions of investigating complaints and helping agencies improve their administrative practice, and the publication of reports to agencies, Ministers and Parliament.

This information may be disclosed to the agency complained about in order to obtain that agency's response to the details of the complaint or to seek clarification or further information.

• Personal information about complainants, which is collected and used in the course of conducting surveys

Information about complainants may be used to conduct surveys at the conclusion of an investigation to help the QO to assess and improve the performance of its functions, and to compile relevant statistics for internal use or publication (in a de-identified form).

Complainants are given an opportunity to advise the QO that they do not wish to be surveyed.

Information that identifies complainants (name and contact details only) may be provided to an external company solely for the purpose of that company conducting surveys on behalf of the QO.

The QO enters into agreements with these external companies which require that they must comply with the Information Privacy Act and keep all personal information about complainants confidential, and must not disclose that information, or any information they receive in the course of conducting the survey, to any person other than an employee of the QO.

• Personal information about our employees that is received or collected in the course of conducting human resource management functions

Employee personnel records consist of personnel, payroll, recruitment, performance appraisal and other records. The information collected may include name, date of birth, occupation, employee identification number, gender, medical information, qualifications, next of kin, relationship details, details of pay and allowances, travel records, personal financial information, leave details, time sheet information and overtime records, work reports, employment history, staff awards, disciplinary investigations and actions, performance assessments and criminal convictions, and records of information technology system usage.

Personnel information relates to current and former employees (including casual and temporary).

This information is used for the QO's internal human resource management functions, including assessing whether employees are complying with policies and procedures. It is also used to protect the QO's IT systems, and maintain computer and network system performance and security.

Limited and specific personal information is disclosed to third parties as appropriate, including Q-Super, the Australian Taxation Office, organisations in receipt of payroll deductions, external medical/emergency personnel, external payroll providers, Queensland Parliamentary Service internal and external auditors, QO internal and external auditors, banks, etc. Otherwise, information is only disclosed to third parties with the permission of the employee or as required by law (for example, to the Crime and Corruption Commission in connection with allegations of corruption).

• Recruitment

Recruitment records may consist of applications for employment with the QO, records relating to referee checks, interview notes, selection panel assessments, criminal history checks, serious disciplinary history checks, etc.

This information is collected and used solely for the purpose of selecting employees. It may be accessed by employees appointed to sit on selection panels, the delegate responsible for approving appointments, and any employee assisting with the administrative functions associated with recruitment. 

Applications for employment may also be disclosed to third parties forming part of a selection panel, and relevant details about a person's application may be disclosed to a person's nominated referees in the event their application warrants a referee check. Information about the selection panel's assessment of the successful applicant may be disclosed to other applicants as part of a feedback process, but otherwise, this information is not further disclosed without the consent of the individual.

• Personal information about government agency officers who contact the QO with training inquiries, and who participate in training courses conducted by the QO

The QO collects personal information (name, contact details, employment details, etc) about government agency employees in connection with carrying out its training functions. Persons who attend training courses conducted by the QO or who contact the QO with an inquiry about training are asked to supply personal information that facilitates the conduct of the training.

This information is collected and used solely for the purpose of conducting training and enhancing and improving the training services provided by the QO, and to compile relevant statistics for internal use or publication (in a de-identified form).

• Personal information about persons leaving messages on the QO's voicemail service and CCTV footage

If a person telephones the QO and leaves a voicemail message, the original recorded message will be deleted but a copy will be transferred to the relevant case file on the Office's electronic case management system. Employees responsible for receiving, assessing, responding to, investigating and internally reviewing complaints may have access to this information.

Persons visiting the QO's premises will be recorded by way of closed circuit television security system (CCTV). CCTV images are recorded, collected, stored, monitored and reviewed for the purposes of promoting the health and safety of employees, public safety, security, crime prevention and detention. QO employees may access these images in connection with their duties. Queensland Government security staff responsible for maintaining the security of the building may also access these images in connection with their duties. In the event of a threat to the health and/or welfare of employees of the QO or another agency housed in the building, a copy may be provided to other agencies housed in the building. A copy may also be provided to the Queensland Police Service for the purposes of investigating the possible commission of an offence.

Further information is detailed in our CCTV policy.

• Personal information about suppliers and potential suppliers of goods and services to the Office who are trading as individuals

This information is used only to facilitate the supply of, and payment for, goods and services by the QO. It may include names, contact details, bank account information and Australian Business Numbers and credit/debt information.

All of the information in the above-mentioned categories is retained for variable periods according to the applicable provisions of a Retention and Disposal schedule approved by Queensland State Archives under the Public Records Act 2002 and in accordance with the requirements of the Australian Taxation Office.

How to apply to the QO to access or amend personal information

Except where access is restricted by law, a person can apply to the QO to access and/or amend their own personal information. Personal information can be amended if it is inaccurate, incomplete, out-of-date or misleading.

Personal information cannot be accessed by others, except as provided for by the Information Privacy Act and the Right to Information Act 2009, or as required by other legislation.

A request for access must be made on the Right to Information and Information Privacy Access Application Form.

A request for amendment of personal information must be made on the Information Privacy Personal Information Amendment Application Form. 

Your completed application should be directed to our Right to Information and Privacy Coordinator or by post, attention to the Right to Information and Privacy Coordinator.

Complaints

If an individual believes that we have not handled their personal information in accordance with the Information Privacy Act, they may make a complaint to us. The complaint should be made in writing to the Right to Information and Privacy Coordinator.

For information on how to make a complaint, and how your complaint will be handled, refer to our Privacy Complaint Policy and Procedure.

If a complainant does not agree with our decision, or has not received a decision from us after 45 days, they may appeal in writing to the Office of the Information Commissioner.