content-left-bg.png
content-right-bg.png

Information privacy and right to information procedure

Version number 1.3 | Version effective 03 May 2022
PublishingPageContent
Information privacy and right to information procedure

Audience

Department-wide

Purpose

The procedure provides the responsibilities of all employees regarding managing information privacy and right to information requests.

Overview

Outlines the departmental requirements under Information Privacy and Right to Information (RTI) legislation.

Responsibilities

Employees

  • be aware of the requirements for protection of personal information as provided in the Personal information guideline
  • direct any privacy complaints to the department’s Privacy Officer, Information and Governance Management, Digital Transformation, Information and Technologies Branch
  • report suspected privacy breaches to their supervisor, manager, director or principal
  • action request for information applications in accordance with this procedure
  • complete the Keys to managing information (DoE employees only) online training course upon induction to the department.

Directors, principals or above

  • ensuring their employees are adhering to the requirements for protection of personal information as provided in the Personal information guideline
  • referring reported privacy breaches to the department’s Privacy Officer to take necessary action
  • assessing right to information requests in accordance with this procedure.

Director, Integrity and Assessment, Integrity and Employee Relations

  • Responsible for referring complaints, if necessary, to the:
    • Crime and Corruption Commission (CCC) as required under section 38 of the Crime and Corruption Act 2001 (Qld), or
    • Legal and Administrative Law Branch if a complaint proceeds to the Office of the Information Commissioner or Queensland Civil and Administrative Tribunal (QCAT).

Process

Personal information

Personal information is primarily protected under the Information Privacy Act 2009 (Qld) which legislates how the department will:

  • collect, store, use and disclose personal information about people (employees, students etc.)
  • allow people access to their personal information held by the department
  • allow people to request changes or amendments to this information.

For supporting information relating to protection of personal information, refer to the Personal information guideline.

Collection of personal information

Employees when collecting personal information must:

  • only collect personal information directly from the individual, as required to carry out the tasks directly related to the functions and activities of the business unit or school
  • only use departmental approved forms, questionnaires, interviews, survey tools or other tools used to collect personal information
  • provide a privacy notice (see Personal information guideline) to the individual on collection of their personal information.

Security of personal information

Employees must apply protection to the personal information they control by:

  • classifying personal information with an information security classification (DoE employees only) and applying security controls accordingly
  • protecting and securing personal information (DoE employees only) in both paper and digital formats and on mobile devices from loss, unauthorised access, use, modification or disclosure, and any other misuse
  • reporting any loss of personal information to their manager, director or principal
  • not emailing student personal information outside the department’s corporate network.

Provision of personal information

The department publishes details of the type of personal information it holds, for what purpose and use on the How do I access information? web page.

An individual whose information is held by the department has the right to expect that any access is permitted only for authorised purposes. Employees must:

  • seek approval from their director, principal or above to undertake requests by individuals to access and amend their personal information
  • when processing requests, undertake identity authentication to be satisfied as to the requestor's identity or the identity of the parent or guardian for an individual under 18 years, and their right to access or amend the personal information
  • where there is doubt about an individual's right to access or amend personal information must advise them of the RTI and Information Privacy application process.

Checking accuracy of personal information

Employees must check the accuracy, completeness and currency of personal information before use.

For further guidance on checking accuracy of personal information, refer to the Personal information guideline.

Use and disclosure of personal information

Employees must only use personal information for the purpose for which it was collected, unless the individual concerned has consented to the use of the information for another purpose or an exception applies (see the Personal information guideline) for details. Any approved use must be recorded in the individual's file or in the system where the personal information is stored.

Directors, principals or above who authorise requests for disclosure of personal information must:

  • ensure requests for disclosure of personal information are in writing and provide justification for why the information is required (see Obtaining and managing student and individual consent procedure)
  • ensure the individual concerned is aware of, or has consented to that disclosure
  • advise the recipient in writing to not use or disclose the personal information for a purpose other than the purpose for which it was provided
  • ensure the disclosure:
    • is authorised by law to do so
    • is necessary for certain types of law enforcement
    • there are reasonable grounds in existence to indicate that the use of this information is necessary to prevent or lessen a serious and imminent threat to the life or health of that person
  • record decisions to disclose the information (including reasons for disclosure and the information disclosed).

Principals are also to follow the Access to records held in schools procedure.

Privacy complaints

Employees must direct any privacy complaints to the department’s Privacy Officer. The complainant must have a response within 45 business days.

The Director, Integrity and Assessment, Integrity and Employee Relations will refer the complaint, if necessary, to the:

  • Crime and Corruption Commission (CCC) as required under section 38 of the Crime and Corruption Act 2001 (Qld), or
  • Legal and Administrative Law Branch if a complaint proceeds to the Office of the Information Commissioner or Queensland Civil and Administrative Tribunal (QCAT).

In some instances it may be necessary for a matter to be referred to the Director, Integrity and Assessment, Integrity and Employee Relations from the CCC for investigation in relation to a potential breach of the Queensland Government’s Code of Conduct for the Queensland Public Service, the Standard of Practice and/or the Public Service Act 2008 (Qld).

Privacy breaches

Any employee who suspects a breach of privacy must report it to their supervisor, manager, director or principal and email the privacy mailbox. The supervisor or manager will liaise with the department’s Privacy Officer to take necessary action.

Information release, access and use

The department has a number of ways in which members of the community, employees, students and parents/guardians can access information held by the department. The department provides government information to the public to the maximum extent possible, unless on balance it is contrary to the public interest to do so.

Information held by a regional office or central office is also accessed in accordance with the Administrative access scheme for central and regional offices process. Access to school related information follows Access to records held in schools procedure. Employees can access their own records through the Human Resources Branch in accordance with the Public Service Regulation 2018 (Qld).

Employees must be aware that any information held in the department (documents, data, emails, text messages, etc. including personal correspondence) can be made available and/or released to the public under Right to Information Act 2009 (Qld) (RTI) by:

  • proactive publication to the website under 'published information' within specified categories of information (also known as a publication scheme)
  • an administrative release where information is released to an individual or organisation at their request without having to lodge a formal RTI and Information Privacy Application, or
  • a formal RTI and Information Privacy Access Application where the information and/or its metadata is published under the disclosure log on the department's website. Personal information requested under the Information Privacy Act 2009 (Qld) also follows this process. This formal application for government-held information should only be made as a last resort.

If an employee receives a request for information they must, in consultation with an Information Access Officer in their business unit, determine which process for release is to be followed considering:

  • any requests for information from the media is directly forwarded to the Strategic Community Engagement at media@qed.qld.gov.au
  • request for the release of closed or restricted records including those held at Queensland State Archives is to be forwarded to the Director, Information and Governance Management, Information and Technologies Branch as under the Public Records Act 2002 (Qld) they may require authorisation for release by the Deputy Director-General, Corporate Services, Assistant Director-General, Information and Technologies, Executive Director, Digital Transformation, Information and Technologies Branch or school Principal (who are authorised by the Director-General to set and change restricted access periods and approve access to restricted records)
  • the information that is to be released complies with the Information asset and recordkeeping procedure
  • the department supports the exchange of government information with other government entities where there is a business need and it is permitted or required by legislation
  • if it has been determined the information can be released directly to the department's website under the publication scheme the Information Access Officer coordinates with Web and Digital Production, Information and Technologies Branch via Services Catalogue Online (DoE employees only) or email webworkrequest@qed.qld.gov.au to release the information
  • the Administrative access scheme process must be followed for administrative releases
  • the information must be provided to the maximum extent possible free of charge
  • where unable to provide administrative release or a direct release, direct the requesting party to the department's website to make a formal RTI and/or Information Privacy Application.

Employees receiving a request for information requested under a RTI and Information Privacy Access Application are to:

  • take all reasonable steps to locate relevant documents (both electronic or hardcopy documents) and respond by the due date set by the Information Release Unit, Legal and Administrative Law Branch this includes:
    • any paper or other material on which there is writing
    • any paper or other material on which there are marks, figures, symbols or perforations having a meaning for a person qualified to interpret them; and
    • any disc, tape or other article or any material from which sounds, images, writings or messages are capable or being produced or reproduced (with or without the aid of another article or device).
  • understand that if they do not provide all relevant documents the department and its officers may have to defend their conduct before the Information Commissioner or the Queensland Civil and Administrative Tribunal (QCAT). It could also result in an adverse report to Parliament about the department's non-compliance
  • keep an accurate record of time spent searching for and retrieving the documents. However, the time spent by employees in photocopying, collating or searching for documents where they should have been stored, but are not found to reside there, cannot be recorded by the employee undertaking these tasks.

An employee who has been delegated the role of Information Access Officer for their business unit is to:

  • provide advice on right to information and information privacy requests
  • coordinate within the required timeframes approval processes including searching for the required information/documents consulting with Legal and Administrative Law Branch, when required
  • prepare and advise on the administrative release of information following the Administrative Access Scheme process
  • create records where necessary within an authorised recordkeeping system of the original request and documents
  • seek necessary approval according to the required process.

Manager, director or above must:

  • ensure information released on the Right to Information website meets the requirements of significance, accuracy and relevance
  • approve the administrative release of information following the Administrative Access Scheme process
  • coordinate regular reviews of information from, or about, the business unit on the department's Publication scheme website and other departmental websites to ensure the continued relevance, significance and accuracy of published information
  • proactively identify new information for consideration to be published on the department's Right to Information website
  • approve internet publication of all new and revised information ensuring it is accurate, relevant and has no copyright or other agreements restricting its release and publication
  • ensure an Information Access Officer has been appointed to their business unit to adhere to this procedure.

Definitions

Term

Definition

Personal information

Information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.

Legislation

Delegations/Authorisations

  • Nil

Other resources

Superseded versions

Previous seven years shown. Minor version updates not included.

1.0 Information Management (IM)

1.0 Information privacy and right to information

Review date

01 November 2018
Attribution CC BY
PageFeedback_BottomLeft
Was this page useful?
SocialMedia_BottomRight