Skip links and keyboard navigation

Enterprise information, communications and technology (ICT) governance

Directive number: QH-HSD-052:2019

Effective date: 17 August 2022

Review date: 17 August 2025

Supersedes: Version 2

On this page:


Under the Hospital and Health Boards Act 2011 (the Act), the Director-General as the system manager, may issue binding health service directives to Hospital and Health Services (HHSs).

The purpose of this Health Service Directive (HSD) is to define Queensland Health’s Digital Policy Framework. This framework is intended to support the federated Queensland public health system while ensuring that Queensland Health’s information, communications and technology (ICT) environment is fit for purpose (safe, effective and optimised).

This HSD fulfils criteria 5 in section 47 (1) of the Act: supporting the application of public sector policies, State and Commonwealth Acts, and agreements entered into by the State.


This HSD applies to all Hospital and Health Services.


The following Queensland Health system governance principles will be considered in the application of this Health Service Directive:

  • Consistency with the Hospital and Health Boards Act 2011: maintain consistency with system roles, accountabilities and authorities for the Director-General, Deputy Directors-General, Hospital and Health Service Chief Executives and Hospital and Health Service Boards under legislation.
  • Federated to Networked system governance: to promote mutual reciprocity, and value creation alliances between peers and partners including Hospital and Health Services, Department of Health and the Queensland Ambulance Service.
  • Engagement between Hospital and Health Services, Department of Health and Queensland Ambulance Service: to develop common ground, mutual respect, understanding, and an active investment in relationship capital.
  • Transparency: better decisions are made when reducing “information asymmetry”. Ensure all parties have all the information.
  • Pursuit of Value: advice and decision are made with the view to getting the best outcome at lowest cost for Queenslanders – consumers, patients and families.
  • Partnership: Queensland Health as part of a much broader health and social care ecosystem. We need to work with other delivery partners to get the best outcome for Queenslanders.
  • Consumers and Clinician engagement: Services will be best when co-designed with those who deliver and receive them.


As outlined in the Handbook for Queensland Hospital and Health Boards May 2018, this HSD supports the role of:

  • HHSs as statutory bodies within a federated health system
  • eHealth Queensland as a division of the department and a provider of foundation ICT capabilities across the health system; notably its role in the development and implementation of information management and digital strategies, policies and standards across Queensland Health.

In implementing this HSD, HHSs can be confident that they have:

  • consistent ICT governance across Queensland Health supporting a common language, clearly defined roles and responsibilities and a minimum set of performance and conformance requirements.
  • improved traceability of local policies, standards and procedures to both health system and local requirements
  • consistent and comprehensive application of whole-of-government compliance requirements to mitigate system wide risk.

Mandatory requirements

  • Queensland Health digital policy will be developed to support the implementation of digital and ICT capabilities that mitigate risk or provide benefit to the health system.
  • All Queensland Health digital policies will be developed using co-design processes in full consultation with HHSs and the Department of Health and align to the principles above.
  • The endorsement and approval of Queensland Health digital policy will follow the process outlined in Schedules 1 and 2.
  • Queensland Health digital policies will define compliance requirements based on statutory obligations and administrative controls. Appropriate application of any Queensland Health digital policies and standards and/or amplification of local requirements is the responsibility of the HHS.
  • Digital policies, standards and guidelines developed with application to Queensland Health will operate in a hierarchy as defined in the Queensland Health ICT Policy Framework in Schedule 3.
  • New Queensland Health digital policy will be communicated to all HHSs, and the Department, following the Communication Plan outlined in Schedule 4 and published on the Queensland Health ICT Policies site.
  • Hospital and Health Services will be requested to provide an attestation every three years demonstrating compliance with this HSD.
  • Financial Accountability Act 2009 (Qld)
  • Financial and Performance Management Standard 2019 (Qld)
  • Hospital and Health Boards Act 2011 (Qld)
  • Human Rights Act 2019 (Qld)
  • Information Privacy Act 2009 (Qld)
  • Public Records Act 2002 (Qld)
  • Public Service Act 2008 (Qld)
  • Right to Information Act 2009 (Qld)
  • Queensland Government Enterprise Architecture
  • DIGITAL 1st: Advancing our DigITal future. The Queensland Government digital strategy for 2017–2021

Supporting documents

  • Queensland Health ICT Policy Framework
  • Queensland Health Performance and Accountability Framework 2020
  • Health System Risk Management Framework
  • Delivering a High Performing Health System for Queenslanders: Performance Framework July 2019
  • Digital Health 2031: A digital vision for Queensland’s health system
  • Enterprise Architecture Health Service Directive

Business area contact

  • Digital Policy and Governance, eHealth Queensland


This HSD will be reviewed at least every three years.

Date of last review: 07/02/2022

Supersedes: version 2.0

Approval and implementation

Directive Custodian

Deputy Director-General, eHealth Queensland

Approval by Chief Executive

A/Director-General, Queensland Health

Approval date: 17 August 2022

Issued under section 47 of the Hospital and Health Boards Act 2011.

Definitions of terms used in this directive

Term Definition / explanation / details
Co-design Co-design is the act of creating with stakeholders specifically within the design development process to ensure the results meet their needs and are usable.
Data The representation of facts, concept or instructions in a formalised (consistent and agreed) manner suitable for communication, interpretation or processing by human or automatic means. Typically comprised of numbers, words or images. The format and presentation of data may vary with the context in which it is used. Data is not information until it is utilised in a particular context for a particular purpose. Examples include: Coordinates of a particular survey point; Driver licence number; Population of QLD; Official picture of a minister in jpeg format.
Digital Digital means more than just ICT / technology. It’s the use of ICT / technology that innovates, transforms and disrupts services, processes, information, people, industries and society with the purpose of offering customers new ways of interacting with organisations.
ICT initiative An ICT Initiative is a proposed or active (in flight) initiative that delivers an outcome that is enabled by information and communication technologies within the Queensland Health system.
Information Information is any collection of data that is processed, analysed, interpreted, classified, or communicated in order to serve a useful purpose, present fact or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form. Information may also be a public record or an information asset if it meets certain criteria.
Information and Communication Technology (ICT) Information and communication technology (ICT), also commonly referred to as Information Technology (IT) includes software, hardware, network, infrastructure, communications, devices and software systems (applications) that not only support business processes of an agency, but which enable the digital use and management of information and enable people to connect in a digital environment. Typically, ICT covers both the Application and Technology layers of the QGEA. Also see the Application and Technology QGEA classification framework domains for further examples.
Queensland Health Queensland Health comprises of the Department of Health (including Queensland Ambulance Service) and the 16 independent Hospital and Health Services.

Schedule 1: Queensland Health digital policy approval process

  • Approval to develop a Queensland Health digital policy must be sought from the Deputy Director-General, eHealth Queensland, as custodian for Queensland Health Digital Policy.
  • The Deputy Director-General, eHealth Queensland will seek endorsement from all Health Services Chief Executives (HSCEs) and Deputy Director-General’s to develop a Queensland Health digital policy and request nominations to participate in a working group to co-design the proposed artefact.
  • Following the development of a Queensland Health digital policy, a draft will be distributed to all HHSs and the Department for a formal consultation period of no less than 15 working days.
  • Feedback received during this consultation period will be submitted to the co-design working group for consideration and incorporation where required.
  • Appropriate subcommittee clearance should be sought prior to final drafts being forwarded to HSCEs for endorsement.
  • Final drafts will be forwarded to HSCE’s for endorsement.
  • HSCE endorsed drafts will be submitted to Architecture and Standards Committee (ASC) for formal endorsement.
  • ASC endorsed Queensland Health digital policy will be submitted to the Director-General, as the policy owner, for approval. The HSCE endorsement log and any other relevant supporting documentation should also be provided.
  • All approved Queensland Health digital policy will be published on the ICT Policy Register website.
  • Following the publishing of the Queensland Health digital policy, the Queensland Health Digital Policy Communication Plan will be implemented, as outlined in Schedule 4.

Schedule 2: Queensland Health digital policy review process

All Queensland Health digital policies and standards are subject to a formal review cycle every three years. If the amendments proposed are considered major the review will follow the Queensland Health policy approval process outlined in Schedule 1.

Where a minor amendment is proposed the following process is to be followed:

  • The marked-up draft be provided to HSCEs by the Deputy Director-General, eHealth Queensland, seeking endorsement that the proposed amendments:
    • are minor in nature
    • do not change the intent or requirements of the directive
    • are accepted and do not require further consultation.
  • The HSCE endorsed Queensland Health digital policy will be submitted to the ASC for formal endorsement, prior to seeking Director-General, as the policy owner, approval. The HSCE endorsement log and any other relevant supporting documentation should be provided.
  • If the majority of HSCEs do not agree to the proposed amendment, the major review process should be followed as per Schedule 1.

Schedule 3: Queensland Health digital policy framework

Queensland Health Digital Policy documents operate within a hierarchy, with the requirement that documents lower in the hierarchy must be consistent with the documents higher in the hierarchy. Standards and guidelines must support a policy, whereas a policy can be a standalone document.

The policy document hierarchy for Queensland Health digital policies is as follows:

  1. Legislation
  2. Queensland Government policies and standards
  3. Health service directives
  4. Queensland Health digital policy
  5. Queensland Health digital policy standards
  6. Queensland Health digital guidelines.

Where a Queensland Health digital policy or standard does not mitigate local risk, a HHS policy or procedure can be established to address these requirements.

Schedule 4: Queensland Health digital policy communication plan

  • A Communication Plan will be developed for each new or revised Queensland Health digital policy artefact, outlining communication pathways and channels.
  • At a minimum the following communication will occur following the publishing of a new or revised policy:
    • A notification of the publishing of the new or revised policy will be sent to:
      • all stakeholders who provided feedback
      • all CIOs or equivalents across the state
      • all subject matter experts involved in drafting the policy
      • any designated role that have defined responsibilities in the policy artefact.
    • A notification will be published as an E-Alert, in eHealth Queensland Staff download and on QHEPS spotlight and news section.

Version control

VersionDate Prepared byComments
1.0 30 July 2019 Digital Policy Approved Director-General.
2.0 04 My 2021 Digital Policy Minor review undertaken with agreement from HHSs
Updates to consultation and approval process including:
  • an additional schedule included that outlines the process for minor review
  • an increase in the consultation period from 10 to 15 days for new Queensland Health policies and major reviews
  • seeking appropriate subcommittee clearance prior to final drafts being tabled at the Architecture and Standards Committee for formal endorsement.

Endorsed ASC March 2021

3.0 17 August 2022 Digital Policy Endorsed ASC.
Approved by A/Director-General Queensland Health

Change table

Section Change typeChangeRationale
Principles New Content Principles changed to reflect the System ICT Advisory Committee (SICTAC) guiding principles   SICTAC principles are aligned to the public sector governance principles. As the key focus of the HSD is on governance of ICT, it was felt that SICTAC principles are more appropriate than the original principles which were adapted from the Enterprise Architecture HSD.
Outcomes Content removed Reference to outcomes for the original QH Digital policies removed. Dot points have been simplified to reflect system outcomes.
Mandatory requirements Correction Removal of reference to Department of Heath HSD only applies to HHSs.
Content update Queensland Health Digital Policy Framework changed to Queensland Health ICT Policy Framework Framework has been reviewed and is now the called the Queensland Health ICT Policy Framework
Content update Last dot point updated to reflect the new system governance schedule.
‘Hospital and Health Services will be requested to provide an attestation every three years demonstrating compliance with this HSD’
The attestation requirement has been changed from annual to every three years.
Definitions Content removed Following terms removed:
  • Big Data
  • Custodian
  • Cyber Security
  • Digital and ICT enabled initiatives
  • Information asset
  • Information security

Following term added:

  • ICT initiatives
Definitions table reviewed and updated to reflect current terms used in the updated HSD.
Schedule 1 Content removed Removal of second dot point
‘Intention to develop a Queensland Health Digital Policy will be tabled at the Architecture and Standards Committee (ASC)’.
The original intent was to seek nominations for the Working Group through the ASC, however as endorsement and nominations for the working group is required from HHSs prior to developing a new policy artefact this step is not required.
New Content Added new dot point:
‘Appropriate subcommittee clearance should be sought prior to final drafts being forwarded to HSCE’s for endorsement’
Seventh dot point changed to reflect addition of above referenced dot point
Ensure all relevant sub committees have supported the new or reviewed artefacts. This includes the Information Management Strategic Governance Committee and the Information Security Committee
Schedule 2 Content update Updates made to reflect Schedule 1.
Fourth dot point removed.
All policies are now published on the new ICT policies website
Schedule 3 Content update Title updated. Framework has been reviewed and is now the called the Queensland Health ICT Policy Framework
Schedule 4 New Content Dot point added
any designated role that have defined responsibilities in the policy artefact’
Last dot point changed to reflect current process.
Co-design definition added.
Ensure notification is provided to the relevant and impacted parties.
Last updated: 23 August 2022