Privacy – it’s everyone’s business!
Privacy Awareness Week (PAW) is an annual event dedicated to highlighting the importance of protecting our personal information. This year, it runs from Monday 16th to Sunday 22nd June, under the theme: “Privacy – it’s everyone’s business”.
The Office of the Information Commissioner (OIC) has PAW resources available on their website and launched PAW with a keynote presentation “Learning from Data Incidents: What Safety Can Teach Us About Privacy” delivered by Ms Georgina Poole, followed by a panel discussion.
Privacy Awareness week is a great time to take a moment to ensure your public authority is up to date on the latest changes to protecting personal information. This includes the recent changes to the collection and management of identity documents and the upcoming amendment to the definition of personal information in the Public Records Act 2023 (PR Act).
As a result of recent data breaches, processes used by public authorities to collect and manage identity documents received during provision of services to Queenslanders will be changing. The Information Privacy and Other Legislation Amendment Act 2023 (the IPOLA Act) was passed in November 2023 with reforms commencing on 1 July 2025.
Agencies will soon be subject to new requirements for managing personal information and a new Mandatory Data Breach Notification scheme (the scheme) under the Information Privacy Act 2009 (IP Act). You can read more about managing identity documents and the scheme on our website. Access the IP Act here and IPOLA Act here.
The definition of Personal Information will also be amended in the PR Act to align with the amended IP Act 2009, you can read the definition here.
Below are a few key ways in which you can better manage personal data in your public authority.
Collection and management of personal information
Considerations should be made for the sensitivity of the information contained in public records when capturing personal identity information. Public authorities must comply with requirements under the IP Act when collecting and managing personal identity documents. The OIC has provided guidance on complying with the Act and using the Information Privacy Principles in relation to personal information that you may find helpful. You can see this information here.
QSA has developed five disposal authorisations, located within the Identity Documents activity in the General Retention and Disposal Schedule (GRDS), to help public authorities to actively manage identity documents received during business transactions.
You may find that multiple, current disposal authorisations apply to identity documents received or collected by your public authority during business transactions. In these instances, you may choose to retain identity documents for the longest applicable minimum retention period as long as any legal obligations under the PR Act, the IP Act and IPOLA Act or any other applicable legislation are met.
Have a defensible process
Once your public authority decides on the best disposal authorisation(s) for managing public records containing personal information, you can document this decision through the development and approval of a defensible process. Your defensible process can also be used to document the business process that will be followed by your public authority to manage and dispose of public records containing personal information.
Having an approved defensible process in place means that you can refer to this document if questions are raised by members of the public or other individuals about how personal information in public records is managed by your public authority.
Your Chief Executive Officer or their authorised delegate will need to approve the defensible process.
We have further information and resources regarding the development of a defensible process on our website here.
Dispose of data that is no longer required
Data breaches are an increasing threat that demand our urgent attention. Many breaches occur because data and privacy principles—such as proper data governance and security—are not applied consistently across the entire information lifecycle.
One often-overlooked issue is the over-retention of information and the reluctance to dispose of it when it is no longer needed.
There are many ways to manage privacy risks. A key starting point is to collect only the minimum amount of personal information necessary to deliver a service. That information should then be securely disposed of once it is no longer required in line with the appropriate legislation and disposal authorisations.
Restrict unnecessary access to personal information
Not all data breaches are the result of malicious intent—many happen completely by accident. For example, you might forward an email without noticing that it contains an attachment with customer, patient or employee personal information, inadvertently sending it to people who shouldn’t have access.
A data breach like this can have real world, detrimental impacts on the safety and well-being of members of the community and employees. It’s important that we take the time in our everyday business practices to follow simple, yet highly effective ways to manage and safeguard personal information.
Restricting access to personal information in the first place can be one of the best ways to prevent it from being breached. For example, if you need to retain public records that contain identity documents or personal data, these records should be locked down and access restricted to the least number of staff possible. A working copy of the records can be created, with identity or personal information redacted so that staff can use the public record where necessary to complete work whilst avoiding unnecessary access to the data.
Similarly, ensuring that recordkeeping or business systems have appropriate security controls is another simple yet highly effective way to minimise data breaches. Only approved persons should be able to access public records with sensitive and personal information.
For more information and resources go to the Office of the Information Commissioner website oic.qld.gov.au.
Records Connect 
Leave a Reply