Enterprise ICT Governance

Directive number: QH-HSD-052

Effective date: 28/01/2026

Review date: 28/01/2029

Supersedes: Version 3.0

On this page:

Purpose

The purpose of this Health Service Directive (HSD) is to define Queensland Health’s ICT Policy Framework. This framework is intended to support the federated Queensland public health system while ensuring that Queensland Health’s information, communications and technology (ICT) environment is fit for purpose (safe, effective and optimised).

This HSD supports the role of eHealth Queensland as a division of the Department of Health and a provider of foundational ICT capabilities across the health system, notably its role in developing and implementing information management and digital strategies, policies, and standards across Queensland Health.

This HSD fulfils criteria 5 in section 47 (1) of the Hospital and Health Boards Act 2011: supporting the application of public sector policies, State and Commonwealth Acts, and agreements entered into by the State.

Scope

This directive applies to all Hospital and Health Services (HHSs).

Principles

The following Queensland Health system governance principles will be considered in the application of this Health Service Directive:

  • Consistency with the Hospital and Health Boards Act: maintain consistency with system roles, accountabilities and authorities for the Director-General, Deputy Directors-General, Hospital and Health Service Chief Executives and Hospital and Health Service Boards under legislation.
  • Federated to networked system governance: to promote mutual reciprocity, and value creation alliances between peers and partners, including HHSs, Department of Health and the Queensland Ambulance Service.
  • Engagement between HHSs, Department of Health and Queensland Ambulance Service: to develop common ground, mutual respect, understanding, and an active investment in relationship capital.
  • Transparency: better decisions are made when reducing “information asymmetry”. Ensure all parties have all the information.
  • Pursuit of value: advice and decisions are made with the view to getting the best outcome at the lowest cost for Queenslanders – consumers, patients and families.
  • Partnership: Queensland Health as part of a much broader health and social care ecosystem. We need to work with other delivery partners to get the best outcome for Queenslanders.
  • Consumers and Clinician engagement: Better service delivery when co-designed with those who deliver and receive them.

Outcomes

Hospital and Health Services included in the scope of this directive shall achieve the following outcomes:

  • consistent ICT governance across Queensland Health supporting a common language, clearly defined roles and responsibilities, and a minimum set of performance and conformance requirements.
  • improved traceability of local policies, standards and procedures to both the health system and local requirements.
  • consistent and comprehensive application of whole-of-government compliance requirements to mitigate system-wide risk.

Mandatory requirements

  • Queensland Health digital policies will be developed to support the implementation of digital and ICT capabilities that mitigate risk or provide benefit to the health system.
  • All Queensland Health digital policies will be developed using co-design processes in full consultation with HHSs and the Department of Health and aligned to the principles above.
  • The endorsement and approval of Queensland Health digital policies will follow the process outlined in Schedules 1 and 2.
  • Queensland Health digital policies will define compliance requirements based on statutory obligations and administrative controls. Appropriate application of any Queensland Health digital policies and/or amplification of local requirements is the responsibility of the HHS.
  • Digital policies developed with application to Queensland Health will operate in a hierarchy as defined in the Queensland Health ICT Policy Framework in Schedule 3.
  • All Queensland Health digital policies must be appropriately classified based on the business impact level assessment. For more information, see the Queensland Health Information security classification and handling Standard [1].
  • All Queensland Health digital policies will be communicated to all HHSs and Department of Health divisions, following the communication channels outlined in Schedule 4 and published on the Queensland Health ICT policies site.

[1] Where the policy is classified as OFFICIAL-INTERNAL or above, a link to the published digital policy will be provided on the Queensland Health ICT policies site and only made available to external parties in line with the security classification.

Compliance

Hospital and Health Services will be requested to provide an attestation every three years demonstrating compliance with this HSD.

Human Rights

Human Rights are not engaged by this directive.

  • Financial Accountability Act 2009
  • Financial and Performance Management Standard 2019
  • Hospital and Health Boards Act 2011
  • Human Rights Act 2019
  • Information Privacy Act 2009
  • Public Records Act 2023
  • Public Sector Act 2022
  • Right to Information Act 2009
  • Queensland Government Enterprise Architecture
  • Our Thriving Digital Future: Queensland’s Digital Economy Strategy.

Supporting documents

  • Queensland Health ICT Policy Framework
  • Queensland Health Performance and Accountability Framework 2020
  • Digital Health 2031: A digital vision for Queensland’s health system
  • Enterprise Architecture Health Service Directive.

Business area contact

  • Digital Policy and Governance Unit, eHealth Queensland.

Approval and implementation

Directive Custodian

Deputy Director-General, eHealth Queensland

Approval by Chief Executive

Director-General, Queensland Health

Approval date:

28 January 2026

Issued under section 47 of the Hospital and Health Boards Act 2011.

Review

This Health Service Directive will be reviewed at least every three years.

Next review due by: 28/01/2029

Definitions of terms used in this directive

Term Definition / explanation / details 
Co-design Involves people who are closest to solutions in the design of solutions. It brings together stakeholders with different perspectives on complex problems.

Stakeholder engagement overview

Data The representation of facts, concepts or instructions in a formalised (consistent and agreed) manner suitable for communication, interpretation or processing by human or automatic means. Typically comprised of numbers, words or images. The format and presentation of data may vary with the context in which it is used. Data is not information until it is utilised in a particular context for a particular purpose. Examples include Coordinates of a particular survey point; Driver license number; Population of QLD; Official picture of a minister in jpeg format. Data management Policy
Digital Digital means more than just ICT / technology. It is the use of ICT / technology that innovates, transforms and disrupts services, processes, information, people, industries and society with the purpose of offering customers new ways of interacting with organisations. Glossary | For government | Queensland Government
ICT initiativeInitiatives that deliver an outcome that is enabled by information and communication technologies within the Queensland Health system.

Governance of ICT initiatives policy

Information Information is any collection of data that is processed, analysed, interpreted, classified, or communicated in order to serve a useful purpose, present facts, or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, cartographic, physical sample, textual or numerical form. Information may also be a public record or an information asset if it meets certain criteria. Glossary | For government | Queensland Government
Information and Communication Technology (ICT) Information and communication technology (ICT), also commonly referred to as Information Technology (IT) includes software, hardware, network, infrastructure, communications, devices and software systems (applications) that not only support business processes of an agency, but which enable the digital use and management of information and enable people to connect in a digital environment. Typically, ICT covers both the Application and Technology layers of the QGEA. Additionally, refer to the Application and Technology QGEA classification framework domains for further examples.

Glossary | For government | Queensland Government

Queensland Health

Queensland Health comprises the Department of Health (including Queensland Ambulance Service) and the 16 independent Hospital and Health Services.

Queensland Health ICT Policy Framework

Queensland Health digital policyQueensland Health's Digital policy is an ICT policy and standard that has been developed to mitigate system-wide ICT risk. Digital policies apply across the Department of Health and Hospital and Health Services (HHSs). Digital policies are mandated across HHSs through the Enterprise ICT Governance HSD.

Queensland Health ICT Policy Framework

Schedule 1: Queensland Health Digital Policy Approval Process

Initiation

  • Approval to develop new Queensland Health digital policy documents must be sought from the respective Deputy Director-General, as custodian for that Queensland Health digital policy documents.
  • The respective Deputy Director-General will seek endorsement from all Health Services Chief Executives (HSCEs) and Deputy Director-Generals (DDGs) on the proposed digital policy document. Where required, a working group will be established to co-design the proposed artefact.

Consultation

  • Following the development of new, or significantly amended, Queensland Health digital policies, a draft will be distributed to all HHSs and the Department of Health for a formal consultation period of no less than 15 working days.
  • Feedback received during this consultation period will be reviewed and incorporated into the artefact where appropriate.

Endorsement and Approval

  • Final drafts will be forwarded to HSCEs and DDGs for endorsement.
  • Appropriate sub-committee clearance must be sought prior to final drafts being submitted to the Architecture and Standards Committee (ASC) for formal endorsement.
  • Post ASC endorsement, all new or significantly amended Queensland Health digital policies will be submitted to the Director-General, as the policy owner, for approval. The endorsement log and any other relevant supporting documentation must be provided.

Publishing and Communication

  • Once approved, the approved policy documents and completed approval form must be provided to the Digital Policy and Governance Unit, eHealth Queensland, for registering and publishing.
  • Queensland Health digital policy documents will be published on the Queensland Health ICT Policies site [2].
  • Following the publishing of the Queensland Health digital policy document, notification will be sent through communication channels as outlined in Schedule 4.

[2] Where the policy is classified as OFFICIAL-INTERNAL or above, a link to the published digital policy will be provided on the Queensland Health ICT policies site and only made available to external parties in line with the security classification.

Schedule 2: Queensland Health Digital Policy Review Process

  • All Queensland Health digital policy documents are subject to a formal review cycle every three years. Digital policy documents must also be reviewed following legislative or other changes that impact the policy.
  • Where amendments proposed are major, meaning significant changes or alter the intent of the digital policy document, the consultation and approval pathways must follow the process outlined in Schedule 1.
    • ­ Where a minor amendment is proposed, the following process may be followed:
    • The draft digital policy document will be provided to HSCEs and Deputy Directive-Generals by the respective Deputy Director-General seeking endorsement of the proposed amendments:
      • are minor
      • do not change the intent or requirements of the directive
      • are accepted and do not require further consultation.
    • The endorsed Queensland Health digital policy document will be submitted to the ASC, after sub-committee clearance where required, for formal endorsement prior to seeking the respective Deputy Director-General, as the policy custodian, for approval. The endorsement log and any other relevant supporting documentation must be provided.
  • If the majority of HSCEs and DDGs do not endorse the proposed minor amendments, the major review process must be followed.
  • Following the publishing of the reviewed Queensland Health digital policy document, notification will be sent through communication channels as outlined in Schedule 4.

Schedule 3: Queensland Health ICT Policy Framework

  • Queensland Health digital policy documents operate within a hierarchy, with the requirement that documents lower in the hierarchy must be consistent with the documents higher in the hierarchy. Standards and guidelines must support a policy, whereas a policy can be a standalone document.
  • The policy document hierarchy for Queensland Health digital policy is as follows:
  1. Legislation
  2. Health Service Directives
  3. Queensland Health Digital Policy
  4. Queensland Health Digital Policy Standards
  5. Queensland Health Digital Guidelines.
  • Where a Queensland Health digital policy document does not mitigate local risk, an HHS policy or procedure can be established to address these requirements.

Schedule 4: Communication Channels

  • At a minimum, the following communication will occur following the publishing of a new or revised digital policy document:
  • A notification of the publishing of the new or revised digital policy will be sent to:
    • all Chief Information Officers or equivalents across the state
    • all subject matter experts involved in drafting of the digital policy artefact.
    • any designated role that has defined responsibilities in the policy artefact.
  • A notification will be published as an E-Alert and on the QHEPS Spotlight and News section.

Version control

VersionDate Prepared byComments
1.0 30 July 2019 Digital Policy Approved Director-General.
2.0 04 May 2021 Digital Policy Minor review undertaken with agreement from HHSs
Updates to consultation and approval process including:
  • an additional schedule included that outlines the process for minor review
  • an increase in the consultation period from 10 to 15 days for new Queensland Health policies and major reviews
  • seeking appropriate subcommittee clearance prior to final drafts being tabled at the Architecture and Standards Committee for formal endorsement.

Endorsed ASC March 2021.

Approved by Director-General.

3.0 17 August 2022 Digital Policy Endorsed ASC.
Approved by Director-General Queensland Health.
4.028 January 2026Digital PolicyCyclic review undertaken.
Endorsed Architecture and Standards Committee.
Approved by Director-General Queensland Health.

Change table

Section Change typeChangeRationale
Mandatory requirementNew ContentAdded ‘All Queensland Health digital policies must be appropriately classified based on the business impact level assessment. For more information see the Queensland Health Information security classification and handling Standard’.Added to meet the requirements in the Queensland Health Information security classification and handling Standard.
 New ContentWhere the policy is classified as OFFICIAL-INTERNAL or above, a link to the published digital policy will be provided on the Queensland Health ICT policies site and only made available to external parties in line with the security classification.Information classified as official internal requires approval for release; therefore, it cannot be published in accordance with the principles of open data.
 New ContentAmended ‘New All Queensland Health digital policy will be communicated’.Updated as new and reviewed digital policies are communicated to the HHSs and DOH.
Related or governing legislation, policy and agreementsContent update

Added:

  • Our Thriving Digital Future: Queensland’s Digital Economy Strategy.

Updated:

  • Public Records Act 2023.

Removed:

DIGITAL 1st: Advancing our DigITal future. The Queensland Government's digital strategy for 2017–2021.

Changed to align with current legislation and strategies.
Supporting documentContent update

Removed:

  • Health System Risk Management Framework
  • Delivering a High-Performing Health System for Queenslanders: Performance Framework, July 2019.
Changed to align with current frameworks and strategies.
Definitions Content update ICT initiatives. Definition updated to reflect the current Governance of ICT Initiatives Policy.
Schedule 1-4New reference Deputy Director-Generals (DDGs) added to relevant sections. As Queensland Health digital policy documents apply across the Department of Health as well as HHSs, DDG endorsement is required as well as HSCE endorsement.
Schedule 1New headings Policy lifecycle headings added. Added for clarity.
Initiation Content update

Changed:

Dot point 1 Approval to develop new Queensland Health digital policies must be sought from the Deputy Director-General, eHealth Queensland, as custodian of Queensland Health digital policy.

To:

Approval to develop new Queensland Health digital policies must be sought from the respective Deputy Director-General, as custodian for that Queensland Health digital policy.

 The amendment relates to the responsibilities for developing ICT policies. Previously, the responsibility for developing and managing ICT policy was assigned to the DDG of eHealth Queensland. As the delegated accountable officer for ICT policy, the DDG eHealth Queensland sets direction on how ICT policy is managed and governed. However, ICT policies are also developed by other divisions, therefore the responsibility for managing ICT policy would rest with the respective DDG of the division, as the custodian, developing the policy.
 Content update

Dot point 2 changed from:

‘The Deputy Director-General, eHealth Queensland will seek endorsement from all Health Services Chief Executives (HSCEs) and Deputy Director-General’s to develop a Queensland Health digital policy and request nominations to participate in a working group to co-design the proposed artefact’.

Changed to:
‘The respective Deputy Director-General, will seek endorsement from all Health Services Chief Executives (HSCEs) and Deputy Director-Generals on the proposed digital policy. Where required, a working group will be established to co-design the proposed artefact.’

Updated to accord responsibility to the respective DDG, as the custodian, to seek HSCE/DDG endorsement to develop a Queensland Health digital policy.

The working group requirement has been amended, as not all digital policies require the establishment of working groups.

For example, if a policy is being uplifted to a Queensland Health digital policy, then a working group is not required or in instances where working group already exist for that subject area.

ConsultationContent update

Dot point 2 changed from: ‘Feedback received during this consultation period will be submitted to the co-design working group for consideration and incorporation where required’.

Changed to:
‘Feedback received during this consultation period will be reviewed and incorporated into the artefact where appropriate’.

As stated above, a working group is not always required to be established for all digital policies.
Endorsement and ApprovalContent updateMerged dot points to ‘Appropriate sub-committee clearance must be sought prior to final drafts being submitted to the Architecture and Standards Committee (ASC) for formal endorsement’.Dot points simplified to reflect current endorsement processes.
 Content update

Final dot point changed from:
‘Queensland Health Digital Policy Communication Plan will be implemented’.

Changed to:
‘notification will be sent through communication channels.

Amended to reflect current communication channels.
Publishing and CommunicationNew contentAdded new dot point: Once approved, the approved policy documents and completed approval form must be provided to the Digital Policy and Governance Unit, eHealth Queensland, for registering and publishing.To ensure alignment to record keeping obligations.
Schedule 2Content updateAdded to Dot point 1 - Digital policy documents must also be reviewed following legislative or other changes that impact the policy.Updated to reflect feedback received from Legal Unit.
 Content updateIn dot point 2, added words ‘meaning significant or alter the intent of the digital policy document’ to define the meaning of major review’.Added to support a more straightforward interpretation of ‘major amendment’.
 Content update

Changed final approver from:
‘Director-General, as the policy owner’.

Changed to:
‘Respective Deputy Director-General, as the policy custodian’.

Updated to give delegation to the respective Deputy Director-General, as policy custodian, to approve digital policy that meets the criteria for minor review.
 New contentFollowing the publishing of the reviewed Queensland Health digital policy, notification will be sent through communication channels as outlined in Schedule 4.Added notification process for reviewed and published digital health policies.
Schedule 4Content removed

Removed dot points:

  • ‘A Communication Plan will be developed for each new or revised Queensland Health digital policy artefact, outlining communication pathways and channels’
  • ‘All stakeholders who provided feedback’.

Removed wording:

‘In eHealth Queensland Staff download’.

Amended to reflect current communication channels.

OFFICIAL – PUBLIC 

PRINTED COPIES ARE UNCONTROLLED

Last updated: 28 January 2026