Privacy policy

1. Purpose

The Department of Customer Services, Open Data and Small and Family Business (CDSB) is subject to Queensland's Information Privacy Act 2009 (IP Act) and its Queensland Privacy Principles (QPPs), which set out how we must handle personal information. At times, and in relation to certain types of information, we may also have privacy obligations under the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs). The APPs are similar in operation to Queensland's QPPs.

We are committed to protecting individuals' privacy, and we value the open, transparent and responsible handling of personal information. This privacy policy explains: (a) how we collect and manage your personal information, including:

1. the kinds of personal information we collect and hold
   1. how we collect and hold personal information
   2. the purposes for which we collect, hold, use and disclose personal information.
   3. how you can access or amend your personal information
2. how you can complain about our handling of your personal information, and how we will deal with the complaint.

2. Scope

This policy applies to:

• All employees working for us, regardless of whether they are permanent, fixed-term temporary, full-time, part-time or casual employees, on a fixed term contract and/or on secondment from another department or participating in a mobility arrangement. It also applies to other persons who perform work for us, including contractors, students gaining work experience and volunteers. For the purposes of this policy, the term contractor includes on-hired temporary labour services (agency staff).
• All personal information collected by us, and all personal information in our possession or under our control.

All employees, contractors, students and volunteers working for us are responsible for collecting and managing personal information in accordance with this policy and associated policies, procedures and guidelines.

3. Collection of personal information

The definition of 'personal information' is set out in under 'Definitions' (Attachment 2) at the end of this policy. Essentially, 'personal information' is information about an identified (or reasonably identifiable) individual.

3.1 Why do we collect personal or sensitive information?

We collect personal information when it is reasonably necessary for, or directly related to, performing our functions and providing our services.

These functions and services include:

1. Small and family business advocacy and support (for example, grants, mentoring and education programs, and resources offered through the Business Queensland website)
2. Customer service support to Queenslanders (for example, through Smart Service Queensland customer service channels)
3. Provision of shared services to Queensland Government (for example, human resources, payroll, financial management, ICT and information management, procurement and administrative services)
4. Cyber security resources and support
5. Open data (for example, publication of de-identified non-sensitive data via Queensland Government's Open Data Portal).

You can find more information about our functions and services, including shared services we provide to Queensland Government, under:

• the "What we do" and "Who we are" sections of our homepage
• the Queensland Shared Services, Corporate Administration Agency and Queensland Government Cyber Security Unit pages on www.forgov.qld.gov.au
• the CITEC website.

We also collect personal information to carry out our business functions, e.g. human resources management and recruitment processes.

3.2 How do we collect personal or sensitive information?

We may collect your personal information by various means, including in writing, by making a record of information provided to us verbally, through audio-visual recording or by other technical means. We will only collect your personal information by lawful and fair means.

Generally, we will only collect personal information directly from you. However, we may collect your personal information from someone other than you if:

• you consent to the collection, or
• it's unreasonable or impractical for us to collect the information from you, or
• the collection is required or authorised under Australian law or a court or tribunal order.

When we collect your personal information from you or someone else, or as soon as possible afterwards, we will take reasonable steps to advise you of (or ensure that you're aware of) the details of the collection as required under QPP 5.

3.3. Sensitive information

We may also collect sensitive information. The definition of 'sensitive information' is set out under 'Definitions' (Attachment 2) at the end of this policy.

We will only collect your sensitive information with your consent, unless the collection is authorised or required by law, or otherwise allowed under the IP Act.

3.4. The kinds of personal information we collect and hold

The kinds of personal information (including sensitive information) that we collect and hold are described in our Personal Information Register.

4. Use and disclosure of personal information

We use and (where applicable) disclose your personal information to perform our functions, in accordance with our privacy obligations. The definitions of 'use' and 'disclose' are set out under 'Definitions' (Attachment 2) at the end of this policy.

Generally, we will only use or disclose your personal information for the purpose for which it was collected, including:

• performing our functions and providing our services as described in the preceding section of this policy
• managing associated business processes, such as recruitment and human resources
  administration.

We may also use or disclose personal information for secondary or alternative purposes as permitted under the IP Act. This may include where we are authorised or required under Australian law, with your consent, or where you would reasonably expect us to use or disclose it for a related – or in the case of sensitive information, directly related – secondary purpose.

5. Access to and amendment of personal information

If you want to access or amend personal information that we hold about you, you should contact the relevant area within CDSB (e.g. the area you’ve been dealing with) in the first instance. If we hold the information on behalf of another Queensland agency, we may refer your request to them.

If the relevant area is unable to comply with your request, you may submit a formal access or amendment application to us under the Right to Information Act 2009. For further information, please refer to our Right to Information page.

6. Disclosure of personal information outside of Australia

We will only disclose your personal information overseas with your agreement, unless the disclosure is authorised or required by law, or otherwise allowed under the IP Act.

We would generally disclose personal information overseas only when necessary to fulfil our functions and provide our services. For instance, where a customer or complainant is overseas.

However, when you communicate with us via our social media channels, the social media providers and their partners may collect and hold your personal information overseas.

7. Dealing with us anonymously or using a pseudonym

You may engage with us anonymously or by using a pseudonym (a nickname or screen-name), and we will provide you with the option of doing so, unless:

• we are required or authorised under Australian law, or a court or tribunal order, to deal with individuals who have identified themselves, or
• it is impractical for us to deal with individuals who have not identified themselves or who have used a pseudonym.

For example, we can't engage with you anonymously or under a pseudonym in relation to (but not limited to):

• applications for employment
• discussing your personal information with you, and/or giving you access to your personal information
• certain types of complaints (e.g. privacy complaints).

Where we are required or authorised to engage with you as an identified individual, or where it's impractical for us to provide you with the option of engaging with us anonymously or under a pseudonym, we will collect only the minimum amount of personal information required to identify you, as relevant to the circumstances.

8. Security and retention of personal information

We hold personal information securely and we take reasonable steps to protect it from misuse, interference, loss, unauthorised access, modification or disclosure. We comply with the Queensland Government Information and cyber security policy (IS18) and our Information Security Policy to protect personal information and ensure it can be accessed by authorised staff members only.

If we no longer need personal information that we hold about you, we will take reasonable steps to destroy or de-identify it, unless:

• the information is (or is contained in) a public record, or
• we are required to retain the information under Australian law or a court or tribunal order.

9. Data breaches

A data breach refers to any circumstance in which either of the following has occurred:

• unauthorised access to, or unauthorised disclosure of, information
• the loss of information in circumstances where unauthorised access to, or unauthorised
  disclosure of, the information is likely to occur.

A data breach may or may not involve personal information. Where a data breach involves personal information, and where this is likely to result in serious harm to the individual/s whose information it is, this is known as an 'eligible data breach'. Except in limited circumstances, we are required to notify affected individuals and the appropriate privacy regulator of an eligible data breach.

We will manage data breaches, including eligible data breaches, in accordance with our Data Breach Policy.

10. Privacy complaints

If you believe that we've failed to handle your personal information appropriately, you can make a privacy complaint.

You can only make a privacy complaint on behalf of another person if:

• they have authorised you to do so
• they are a minor/child and you are their parent or guardian
• they lack capacity and you are their guardian
• you have other legal authority to act for them.

To make a privacy complaint to us, you must send your complaint to us in writing and include:

• an address for us to respond to you (e.g. an email address).
• details about the matter or issues you're complaining about (e.g. what we did, or what we failed to do, with your personal information that you believe has breached our obligations under the QPPs and the IP Act).

You must send your complaint to us within 12 months of becoming aware of the act or practice you think constitutes a breach of our obligations under the QPPs and the IP Act. If you're making a privacy complaint on behalf of someone else, please include an authority from them or other evidence (e.g. a birth certificate showing that they are a minor/child and you are their parent).

10.1. Contact address for submitting privacy complaints

Email
CDSBRTIandPrivacy@cdsb.qld.gov.au

Post
Right to Information and Privacy
Department of Customer Services, Open Data and Small and Family Business
PO Box 15086
CITY EAST QLD 4002

10.2. Timeframe for handling privacy complaints

Under the IP Act, we have 45 business days to respond to your privacy complaint. If we need additional time to respond to your complaint, we will ask you before the end of the 45-business-day period.

If you don't receive a response to your complaint within the response period, or if you're not satisfied with our response, you may refer your complaint to the Office of the Information Commissioner (OIC). For further information, please refer to OIC's Make a privacy complaint page.

11. Approval

Approved by Deputy Director-General, Coporate Services on 26 June 2025.