Privacy policy

• This document serves as QRA’s Privacy Policy, outlining commitments and responsibilities for managing personal information.
• Further information is available on QRA’s website, providing transparency for individuals whose personal information is collected or held by QRA.

• Individuals may interact with QRA anonymously or using a pseudonym when making general inquiries, providing feedback, or accessing services that do not require identity verification
• Staff must respect this option unless QRA is required under law or authorised to deal with identified individuals or where it is impracticable to deal with individuals who have not identified themselves or use a pseudonym
• Staff are to refer to internal procedures on handling anonymous or pseudonymous. 

• Personal information is collected directly from individuals wherever possible, using lawful and transparent methods.
• Staff must ensure that only information relevant to QRA’s functions is collected and that individuals are not coerced into providing personal information.
   

The department must destroy or deidentify unsolicited personal information as soon as practicable if:

• it would not have been permitted to collect the personal information under QPP3, and
• it is not contained in a public record
• if it is lawful and reasonable to do so.

• Staff are to refer to internal procedures on assessing unsolicited personal information to determine if it could have been lawfully collected under QPP 3 and whether it is a public record.
• Staff are trained on the appropriate steps to securely destroy or de-identify unsolicited personal information when it cannot be lawfully retained, and how to manage unsolicited public records in compliance with the Public Records Act 2002.
   

Departments must take reasonable steps to ensure individuals are aware of key matters when their personal information is collected, whether directly from the individual or from a third party. These matters include:

• the department’s contact details
• the fact and circumstances of the collection, particularly if the information is collected from someone other than the individual
• the purpose of the collection and how the information will be used
• any consequences for the individual if the information is not provided.

• Staff are to refer to internal procedures on notifying individuals of the collection of personal information, including when and how to provide the required QPP 5 matters. 

• Staff are to refer to internal procedures on the primary and permitted secondary purposes for which information may be used or disclosed and assess whether the proposed use or disclosure falls within the permitted purposes.
• If in doubt, staff must seek guidance from QRA’s Privacy Officer before proceeding
• all uses or disclosures must be documented, including the purpose and justification for the action
• Any breaches or unauthorised disclosures must be reported immediately and managed in accordance with QRA’s privacy breach management procedures and Data Breach Policy

• Staff must take reasonable steps to ensure personal information collected is accurate, up to date and complete.
• Before using or disclosing personal information, staff must verify its accuracy and relevance to the intended purpose.

• QRA has robust security measures to safeguard personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.
• Staff must adhere to QRA’s policies and procedures for securely handling personal information, including when accessing, sharing, retaining or disposing of it.
• Any unauthorised disclosure must be reported as a potential privacy breach and managed in accordance with QRA’s privacy breach management procedures and Data Breach Policy.
   

• Staff must follow internal procedures for responding to access and correction requests, including:
  • assessing whether access or correction is required under the Information Privacy Act 2009
  • providing access administratively where appropriate and lawful
  • documenting decisions to refuse access or correction, including reasons and any advice provided to the individual.
• Contentious or complex requests must be escalated to the Privacy Officer for review.
• Staff must ensure appropriate safeguards are in place when transferring personal information in response to access requests.
• Where QRA has control of a document containing personal information, it must give the subject of the information access if they ask for it.
• Generally, where the circumstances surrounding the information are not contentious, releasing it would not breach legislative or confidentiality obligations, and access would not be refused under the RTI Act, staff should consider providing access administratively.
• To correct personal information, staff must take reasonable steps if: it is satisfied, independent of any request, that personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regards to the purpose for which it is held; or the individual asks QRA to correct the information.

Mandatory Notification of Data Breach scheme created in Chapter 3A of the IP Act.

It imposes obligations on agencies to prepare, respond and communicate in the event of suspected eligible data breaches or confirmed eligible data breaches.

The anticipated commencement date for the MNDB scheme is 1 July 2025 for agencies