Home > About us > Policies and legislation > Privacy plan

Privacy plan

This document should be read in conjunction with the QSA's Information Management Policy: School and student data.

Policy statement

This plan provides information about the Queensland Government's privacy policy and helps QSA staff deal with personal information. The Queensland Government has adopted Information Privacy Standard IS42 as a guide for collecting and handling personal information.

The 11 information privacy principles in the standard govern how QSA and other agencies collect, use and disclose personal information.

The standard states, "Personal information held by Queensland agencies must be responsibly and transparently collected and managed (including any transfer or sale of personal information held by agencies to other agencies, other levels of government or the private sector) in accordance with the requirements of the information privacy principles."

Personal information is defined in the standard as "information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

The QSA will explain to you:

the nature of the records of personal information we hold
the purpose for which each type of record is kept
the classes or types of people about whom records are kept
the period for which each type of record is kept
which people are entitled to have access to personal information contained in the records, and the conditions under which they are entitled to have access
the steps by which you are able to obtain access to that information.

Personal records

Our records on people currently and formerly involved in the functions of the QSA may include: your name, address, date of birth, occupation, employee identification number, gender, qualifications, next of kin, equal employment opportunity target-group designation, details of your pay, allowances and leave applications, your bank account details, work reports, resume details and selection reports, surveys and aptitude tests you have done, your results from testing programs, your employment history, tax file number, criminal record, racial or ethnic origin, and details of your physical or mental health.

The types of personal records the QSA requires include:

employees' records containing personal information so that we can carry out our human-resource management functions. Information stored in our database is password-protected and is accessible by the Human Resources team and Corporate Administration Agency, QSA's payroll provider. We keep hardcopy personnel files in secure storage and only the Human Resources team has access to them. We forward information about employees to other government agencies when the agencies legally request us to.
student records (including results from school-based assessment and statewide tests, and student work) to fulfil the agency's legislated functions, including certification, tertiary entrance rankings, and research. We store the records electronically in a secure, password-protected database, in secure cabinets in a secure area of the QSA, or in a secure off-site facility. They are accessed for research, analysis and evaluation by the manager, Client Services, the administration officer (assessment data), analysis and evaluation staff and senior officers.
personal information about members of the Governing Body of the QSA, committees, subcommittees, review panels, external examination candidates, QCS Test markers and other bodies within the QSA so that we can carry out moderation of student work, syllabus development, testing and assessment. We pay personal claims and assess personal taxation categories to pay taxable income claims for non-QSA personnel. This way we can transfer funds directly into vendors' financial accounts, make out cheques, and determine levels of tax. We store this information electronically in secure password-protected databases or in a secure off-site facility.
information about Queensland Core Skills Test personnel (markers, chief community representatives, community representatives). We store this electronically under secure password access. The information is general and is only available to specified staff. It is accessed by, and changes are made by, the manager (Testing), logistics officer, senior operations officer, operations officer, operations support officer, itembank coordinator and administrative officer. Information concerning marker payment and student results can only be accessed by the test facilitator, operations officer and logistics officer. We convey data about delivery of material to delivery agencies.
over-the-counter personal details of clients. The QSA needs access to clients' personal details so we can perform our functions. We collect this information to certify copies of certificates, send publications and determine the equivalence of overseas results. We store this information electronically and in hardcopy. It is accessed only by administration officers in Customer Services and finance officers.
vendors' personal information. The QSA accesses business and individual data so that we can issue purchase orders for the supply of goods and services. We retain this information electronically in secure databases or in hardcopy stored in secure filing systems. The information is accessed by the senior finance officer, manager finance, the travel officer and administrative officers.

Retention and disposal of records

The QSA uses information only for the purposes for which we collected it. We retain information according to the requirements of the Library and Archives Act 1988 and other relevant acts. We keep track of records in our Retention and Disposal Schedule.

Personal information exempt from IS42

Information about the following areas are exempt from Information Privacy Standard IS42.

Covert activities

personal information about an individual arising out of an operation within the meaning of the Police Powers and Responsibilities Act 2000 or personal information to do with a covert operation of a law enforcement agency
personal information about an individual arising out of a warrant issued under the Commonwealth Telecommunication (Interception) Act 1979

Witness protection

personal information about a witness who is in a witness protection program under the Witness Protection Act 2000 or who is subject to other witness protection arrangements made under an Act

Disciplinary actions and misconduct

personal information about an individual arising out of an investigation of misconduct or official misconduct under the Crime and Misconduct Act 2001

Whistleblowers

personal information about an individual that is contained in a public interest disclosure within the meaning of the Whistleblowers Protection Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure

Commissions of inquiry

personal information about an individual arising out of a royal commission or commission of inquiry.

Existing contracts, licences and outsourcing arrangements

The QSA contracts external bodies to supply goods and services. In many cases the agreements extend over a number of years and include consultancies. We review existing contracts and sometimes alter them to comply with the privacy principles.

Public registers

The QSA allows only specific categories of people to access its records.
The QSA holds no public registers.

Information privacy principles (IPPs)

IPP 1-3 deal with collecting personal information

These mean that we collect information only for a lawful purpose and by fair means, and that each piece of personal information we collect is necessary and directly related to the purpose for which that information is being collected.

We must clearly indicate under whose authority we are collecting the information, why we are collecting the information and, if we pass the information on to another agency, who that agency is and if that agency is likely to pass it on to someone else.

We also need to make sure that the information is up to date and complete, and that we don't intrude on your personal affairs unreasonably when we collect the information.

We will aim to tell you these aspects before or at the time when we collect the information.

IPP 4 deals with the storage and security of personal information

We will ensure that personal information is stored safely and securely. We will take precautions to ensure that your information is protected from loss, unauthorised access, modification or disclosure to anybody else, and is not used in an unauthorised way if we send your information to another organisation as part of our functions.

We will dispose of any records that contain personal information.

IPP 5-8 deal with access, alteration and the accuracy of personal information

We must give you the opportunity to find out whether we hold any personal information about you, what the nature of that information is, the purpose for which we use it, and how you can gain access to that information (unless that is prohibited under the law).

You can apply under the Freedom of Information Act 1992 for access to your personal information and you are entitled to correct it if you consider it is inaccurate or incomplete. We will take steps to ensure that your information is accurate and complete.

IPP 9-11 deal with the use and disclosure of your personal information

The information that we have collected about you will only be used for the purpose which we stated. However, there may be some circumstances when we will use your information for other purposes. These are when:

you consent to our using it for another purpose
it is necessary to prevent or lessen imminent threat to health or life
it is permitted by law
it is necessary for law enforcement
the purpose is closely related to the original reason for collection.

The information that we hold can only be disclosed to you unless:

you are likely to be aware, or were made aware, that some other disclosure will occur
you consent to our using it for another purpose
it is permitted by law
it is believed to be necessary to prevent or lessen imminent threat to health or life
it is necessary for law enforcement.

Implementing the Privacy Plan

Step	Objectives	Possible strategy options
1	Identify who in the QSA has responsibility for: implementing the actions identified in the plan accessing records (FOI) handling and resolving complaints.	privacy officer in liaison with the Department of Justice and Attorney-General freedom of information (FOI) officer privacy officer
2	Inform staff of information privacy principles and privacy requirements under the Information Standard and Guidelines, together with the name of their privacy contact officer (ongoing).	privacy officer: organise training for staff where needed privacy requirements included in an induction package for new staff
3	Ongoing modification of the privacy plan
	Identify any statutory requirements that will supersede requirements of the IPPs.	Review acts and regulations if appropriate.
	Review any agency contracts and licence agreements for compliance with IPPs.	When any current licences or contracts cease, legal obligations under the new privacy regime will apply.
	Update all notices, application forms, questionnaires, etc. to ensure they comply with IPPs.	Update forms or notices to ensure compliance with the IPPs.
	Identify QSA policies and procedures that need to be developed.	Ongoing
4	Form Committee of Review.	To include privacy officer, manager (Administration) and deputy director (Curriculum)
5	Prepare and have approved QSA policies and procedures identified in Privacy Plan.	Update QSA's corporate plan and other relevant documents to reflect commitment to the IPPs.
6	Advise QSA's clients of how the QSA will comply with the IPPs.	Update QSA's corporate plan and other relevant documents to reflect commitment to the IPPs.
7	Ensure QSA staff are notified of procedures to store, process and use personal information.	Remind existing staff via email or brochure. Produce induction training material to inform new employees.
8	Ensure QSA's vendors are notified of procedures to store, process and use personal information.	New vendors notified.
9	Ongoing monitoring and training (as required) Provision of access to records Ongoing annual review and updating of privacy plan Complaint handling Internal review	Ongoing development of: Strategic Record Keeping Implementation Plan (Admin) content management system (ICTU) - June 2007 internal review procedures (privacy officer)

Procedure to gain access to personal information

To obtain access to records, and to correct records, contact the Director of the QSA in writing. Note that rights of access and correction are limited to existing rights under the Freedom of Information Act 1992. See the QSA's Information Management Policy for further details.

Review procedure

If you believe that your personal information has not been dealt with in accordance with an IPP, you can ask the QSA to hold an internal review. You must make your request in writing and you must request the review within six months from the date when the breach was suspected to have occurred. Forward your request to the Director of the QSA.

We will acknowledge requests for review in writing, within 14 days from when we received the application, and we will process the request within 60 days from when we received the application. We will inform applicants of our decision in writing.

If you do not agree with the QSA's decision you can request an internal review by a more senior officer who has not previously been involved in the matter. This will be done within 45 days. The Director will respond to you in writing.

Make initial requests to:

The Privacy Officer
Queensland Studies Authority
PO Box 307
SPRING HILL QLD 4004

or email privacy.officer@qsa.qld.edu.au.

Last reviewed: 17 December 2007