Queensland Health Queensland Privacy Principles Policy

This Queensland Privacy Principles (QPP) Privacy Policy details how we manage personal information at Queensland Health (the Department of Health).

On this page

Our approach to handling information

The Department of Health collects and manages personal information to provide health and well-being services for Queenslanders. We also collect personal information to administer our other functions, such as employee management, health sector research and public policy development.

Hospital and Health Services are not covered by this policy.

Each Hospital and Health Service (HHS) has its own QPP Privacy Policy. You can access HHS QPP Privacy Policies by following links on the About Hospital and Health Services page. If you cannot locate a QPP Privacy Policy for a HHS online, contact the relevant HHS and request they provide you with a copy.

This diagram explains the structure of Queensland Health and HHSs.

We are committed to handling your personal information with care, and in accordance with privacy law. Our privacy commitment to you is set out in our Privacy Charter.

The Information Privacy Act 2009 (Qld) (IP Act) and its QPPs set the rules for how the Department of Health handle personal information. These rules include a requirement, under QPP 1, that every agency have a QPP Privacy Policy.

Our QPP privacy policy explains how we manage personal information, including:

  • the kinds of personal information we collect and hold, how we collect and hold that personal information, and the purposes for which we collect, hold, use and disclose personal information.
  • how you may complain about our handling of your personal information, and how we will deal with the privacy complaint.

We also apply the confidentiality rules in Part 7 of the Hospital and Health Boards Act 2011 which limits when it is permitted to disclose information from which a person who is receiving (or has received) a public health service can be identified.

Information about you

At the Department of Health, we describe information about you using three terms:

  1. personal information
  2. sensitive information
  3. confidential information.

The laws that apply to us use these terms.

Personal information

Personal information is defined by the IP Act. Put simply, it is information that identifies a living person (or could lead to them being identified).

Sensitive information

Sensitive information is a subset of personal information. Sensitive information includes health information and other information such as race, ethnicity, religious beliefs, sexual orientation or practices and criminal records. We take additional care in our collection and handling of sensitive information.

Confidential information

Confidential information is information about a person who is receiving or has received a public health service. Confidential information includes care and treatment information.

Unlike personal information, which is only about a living person, confidential information can be about a living or deceased person.

Queensland laws set out requirements for how we handle confidential information.

These laws include:

  • Part 7 of the Hospital and Health Boards Act 2011
  • Public Health Act 2005
  • Mental Health Act 2016.

To keep things simple, we use the term personal information in this QPP Privacy Policy.

This diagram helps to illustrate the categories of personal information (PDF 79 kB). The sections that follow describe the personal information we collect at the Department of Health, why we collect it and what we do with it.

Why we collect personal information

We collect personal information to provide health and wellbeing services to you, and to fulfil our other functions. Specifically, we collect personal information for the following.

  • We may use your personal information to provide you with our services to improve your health and well-being.

  • We may use your personal information to provide you with treatment and follow-up care that is appropriate for your needs

  • We may use your personal information to make decisions about your applications for our services or benefits.

  • When you communicate with us via our website (www.health.qld.gov.au), your correspondence is treated as a public record. We keep your correspondence for as long as required by the Public Records Act 2023 (Qld) and other relevant laws. Your personal information included in the communication will never be shared with others unless you give us permission.

    The Department of Health does not reply to all communication received via our website.

    Communication may be forwarded to relevant business areas within the Department of Health or to an appropriate Hospital and Health Service.

  • We may use personal information for research to help us to improve Queensland healthcare practices. All research must meet ethical requirements and be authorised by the chief executive.

  • When you visit certain hospitals, your nurse or doctor may ask for your permission to use and disclose your health information for GIFTR research.

    This information may include:

    o medical and personal information in your heath record (such as mental health, behavioural health, sexual health, and drug use)

    o notes from doctors

    o test results (including x-rays and blood) o genetic information If you give permission, your information will only be used for GIFTR research.

    Your personal information involved in the research will never be made public. If you do not agree, your information will not be used for GIFTR research. Your decision will not affect your treatment of care. For more information regarding GIFTR, email GIFTR@health.qld.gov.au

  • We may ask you to take part in online surveys that appear on our website. The surveys, for example, may relate to health issues such as smoking.

    These surveys are voluntary, and you can often remain anonymous. If you would like to participate, you may be asked to agree to certain terms and conditions about the use and/or disclosure of your information.

    We sometimes conduct surveys using online platforms provided by third-party service providers (also known as ‘contracted service provider’). These providers may store information outside of Australia.

  • If you are a Queensland Health staff member, we will use your personal information to manage your employment and make payments to you.

  • The Department of Health may use your personal information to process your request to access or amend your own personal information. We provide more information on how you can request access to, or amendment of, your personal information.

  • We may use your personal information to process requests to access other Queensland Health information. To find out more, you can visit our Right to Information request page.

  • We may use your personal information to investigate your privacy enquiry or complaint, and to communicate with you about your enquiry or complaint. We set out further information about how to make a privacy enquiry or complaint with us.

  • When you visit our website (www.health.qld.gov.au), we may make a record of your visit and for statistical purposes only log the following information:

    • server address
    • top level domain name (e.g. .gov)
    • date and time of your visit to the site
    • pages visited and documents downloaded
    • previous sites visited
    • browser type.

    No attempt is, or will be, made to identify users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect activity logs.

    We use Google Analytics (including display advertising features) on our website to gather anonymous information about visitors to our website. When you visit our web pages, your browser automatically sends anonymous information to Google. Examples of the information include the web address of the page that you’re visiting, your IP address and demographic information. Google may also use cookies.

    We use this data to analyse the pages that are visited, to improve your experience and make sure our website is useful.

    Read more about:

The Department of Health will only use or disclose your personal information for the purpose(s) that it was collected for, unless we have a lawful requirement or authority to use or disclose it for another purpose. Some circumstances where we may be lawfully required or authorised to use or disclose your personal information for another purpose, may include:

  • Undertaking activities that help us monitor and improve the way we operate
  • Providing professional supervision or mentoring of our staff
  • Helping us with management, funding, monitoring, planning and evaluation and accreditation activities (including through the use of surveys)
  • Enabling us to code and de-identify records
  • Addressing liability indemnity arrangements and defending legal proceedings. This may require giving information to a medical expert (for a medico-legal opinion), insurer, medical defence organisation or lawyer
  • Debt recovery in relation to services received.

What we collect

Information we collect depends on the service or function we need it for. We take care to ask you only for what is reasonably necessary or directly related.

Some examples of the information we collect are:

Website visitors

Community

  • Name
  • Contact details
  • Date of birth
  • Signature
  • Photographs that capture your image or other personal information
  • Unique identifying number (such as your Medicare number)
  • Medical, health, diagnostic and treatment information
  • Test results, x-rays and scans
  • Sexual health information
  • Correspondence and feedback
  • Complaint information
  • Details of access and amendment requests

Employees/prospective employees/contractors

  • Name
  • Contact details
  • Signature
  • Photographs, that capture your image or other personal information
  • Financial or bank details
  • Educational history
  • Cultural background, relationship status and family circumstances
  • Details of office bearers in funded organisations (such as officer name)
  • Correspondence and feedback
  • Complaint information
  • Details of access and amendment requests
  • Occupation and employment history
  • Criminal history
  • Recruitment information

You can also visit the Queensland Health Information Knowledgebase (QHIK) for more information about the information collected and held by the Department of Health.

When we collect personal information

We may collect personal information directly from you or from someone else, such as your local doctor or a relative in an emergency situation.

We collect personal information when you:

  • visit our website (www.health.qld.gov.au)
  • take part in Department of Health surveys
  • communicate with us or provide us with feedback
  • visit a health care facility
  • fill in a form (including online and paper forms)
  • apply for a job with us
  • ask us a question or make a complaint
  • request access to, or amendment of, your personal information.

When we ask you for your personal information, we will take reasonable steps to provide you with a notice to explain what personal information we need and why. This is called a ‘Privacy Notice, Privacy Statement or Collection Notice’ (Collection Notice). We may provide you with a written or spoken Collection Notice. For example, when you fill out a form that asks for your personal information, it will contain a Collection Notice that explains why we need your information.

How personal information is shared

There may be times when we share your personal information. When we share your information, we do so in accordance with privacy law.

We may share your personal information with:

  • your local doctor, or with a healthcare facility—e.g. we release your personal information in order to facilitate your treatment
  • your family, spouse or guardian—e.g. where you have nominated them for the purpose.

If you do not wish for us to share your information with a person or organisation, you can ask us not to share it.

The Department of Health will not otherwise give your personal information to other government agencies, organisations or anyone else unless:

  • we have your permission
  • there is a lawful ability or requirement for us to do so.

How personal information is managed

The Department of Health ensures the accuracy of the personal information we hold and keeps it secure through its lifecycle. In addition to the QPPs, we also apply Information Standard 18 of the Queensland Government Information Security Classification Framework.

Our contracted service providers also observe strict personal information management requirements.

Accuracy

Before we use your personal information, we may check with you to make sure it is accurate, complete and up to date. If you think we hold personal information about you that is inaccurate or out of date, please contact us. Find out more about amending your personal information.

Security

The Department of Health holds personal information securely and takes reasonable steps to protect it from misuse, interference, loss, unauthorised access, modification or disclosure.  To do this we have a range of information security practices that align with the Queensland government Information Standards and security protocols to protect personal information and ensure it can be accessed by authorised staff members only. This includes, for example, only allowing certain staff to access your information, using a login and password.

Protection of personal information is a priority for us. Any concerns about the security of your personal information held by the Department of Health should be reported.

The Department of Health holds personal information that we collect in both electronic and analogue formats; that is, we use paper-based and electronic storage systems. The privacy rules apply, irrespective of how we hold personal information.

Contact the Department of Health’s Principal Privacy Officer via email: rti-privacy@health.qld.gov.au

Disclosure out of Australia

For electronically held and managed personal information, we use Australian/Queensland data centres and back-up systems wherever possible. Where personal information must be stored in an overseas location, we take care to ensure that privacy and security controls are in place (e.g. through strict contractual requirements and avoiding storage locations where privacy rules appear insufficient).

When you communicate with us through a social media platform such as LinkedIn or YouTube, the social media provider and its partners may collect and hold your personal information overseas.  We also use SurveyMonkey to conduct voluntary surveys from time to time, which may involve the collection and disclosure of participants’ personal information overseas.

Where we disclose personal information overseas, this will usually occur with agreement, where we are authorised or required by or under law, or otherwise consistently with our obligations under the IP Act.

Microsoft 365

Microsoft 365 is a set of cloud-based productivity tools and integrated cloud services. Microsoft 365’s commonly used featured platforms for collaborative work include (but not limited to):

  • Microsoft Teams—a collaboration and video conferencing platform that acts as a central hub for workplace communications via text chat, voice call, video call, calendar, notes, documents, and apps (including, from time to time, recording and capture of video and voice calls). Refer to the Queensland Health privacy notice: Use of Microsoft for meetings and recordings
  • SharePoint—a cloud-based content collaboration and management platform where files can be shared and stored temporarily
  • OneDrive—a personal cloud-based storage service. These platforms are integrated and provide the Department of Health with different avenues for sharing, organising and temporarily storing information.

The Department of Health uses these platforms in a manner consistent with our responsibilities and obligations under the IP Act, Right to Information Act 2009 (Qld) and Public Records Act 2023; and the Queensland Government Customer and Digital Group Collaboration platform (Microsoft Teams) guideline.

Collection by Microsoft when using Microsoft 365

Microsoft may collect your personal information as a result of using Microsoft 365 services and applications. Microsoft’s privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.

Service providers

The Department of Health uses contracted service providers to provide particular services and functions of our organisation. Some examples include:

  • electronic document management
  • cloud-based storage
  • community surveys and feedback collation.

To provide these services and functions, service providers may collect and use personal information on our behalf. The Department of Health still controls and is responsible for the information. The Department of Health ensures that service providers meet our privacy and confidentiality requirements. We do this by entering into a contract or service agreement with them that includes privacy and confidentiality clauses.

Retention

Where permitted by the Public Records Act 2023 (Qld), we will destroy or deidentify unsolicited personal information or personal information no longer required for any of our functions in accordance with our obligations under the QPPs if it is lawful and reasonable to do so.

The Department of Health will keep your personal information for the minimum period of time as required in a retention and disposal schedule approved by the Queensland State Archivist. The minimum retention period varies between classes of records according to the purpose and use of the records. The following retention and disposal schedules document the minimum retention periods for records maintained by the Department of Health:

Social media

We maintain a number of social media accounts for the purpose of pushing out information about:

  • our services
  • health and wellbeing, generally
  • important health alerts.

Please be aware that personal information given to us or posted on any social media site becomes captured by that social media platform’s privacy policy. You may instead choose to contact us directly.

For information regarding the Department of Health’s social networking services, email socialmedia@health.qld.gov.au.

Monitoring of buildings

CCTV cameras

Some Department of Health locations are equipped with Closed Circuit Television (CCTV) cameras. These are used to monitor safety and accessibility, as well as to deter (and capture evidence of) unlawful behaviour.

The CCTV cameras are owned and controlled by the Department of Housing and Public Works (DHPW) as part of their whole of government services. The footage from the cameras is generally stored by DPW for 90 days before it is destroyed.

If you would like to enquire about the CCTV cameras, or you would like access to the footage, you can contact DHPW, refer to Find a contact | Department of Housing and Public Works.

Secure check-in

Some Department of Health buildings have a secure check-in facility for visitors, consultants and contractors attending our premises. This computerised check-in collects personal information, such as name and mobile phone number.

Secure check-in facilities are owned and controlled by DHPW as part of their whole of government services. DHPW is responsible for the management of any personal information provided.

For more information about the secure check-in facilities provided by DHPW, contact DHPW, refer to Find a contact | Department of Housing and Public Works.

How to access or amend your personal information

You have the right to:

  1. access personal information we hold about you
  2. amend your personal information, where you think that it is inaccurate, incomplete, or out-of-date.

If you would like to access or your personal information, we are generally able to do this for you. Please write to us, letting us know how we can contact you and:

  • what information you would like access to, or
  • what information you would like to amend.

Before we can give you access or your personal information, you will also need to verify your identity. This is to ensure that we don’t give your personal information to anyone else.

We provide detailed information on how to access and amend your personal information, and how to access other Queensland Health information, on our Right to Information request page.

The page includes a form that you can download and complete. Please submit your completed form to:

The Manager
Privacy and Right to Information Unit
Department of Health
GPO Box 48
Brisbane
Queensland 4001.

Alternatively, please call (07) 3082 0546 or email RTI-Privacy@health.qld.gov.au

There may be times where we may not hold the personal information that you request (for example, where you request health records or CCTV footage of you). If we do not hold your personal information, we will direct you to the right agency.

How to make a privacy complaint

If you have a question about the Department of Health’s QPP Privacy Policy or a concern or complaint about how we handle personal information, please contact the Department of Health’s Principal Privacy Officer via:

Email: rti-privacy@health.qld.gov.au

More information about submitting a privacy complaint is available our Privacy Complaints page.

Understanding and addressing privacy complaints is an important part of our service. We have 45 business days to resolve the privacy complaint to your satisfaction. If you are dissatisfied with our response to your complaint, you have a right to contact Queensland’s privacy regulator.

The process is detailed on the website: Office of the Information Commissioner—making a privacy compliant.

Dealing with the Department of Health anonymously or using a pseudonym

People can make enquiries, report a data breach or use the enquiry forms on our website anonymously or by using a pseudonym.

Complaints about the Department of Health can be made anonymously or by using a pseudonym but, depending on the nature of the complaint, we may not be able to action a complaint and/or provide a response without a person’s identity (e.g. where a complaint relates to a particular individual’s file).

Anonymous or pseudonymous interaction is not possible when lodging a privacy complaint.  We are required to collect information such as your name, contact details and details of your matter so we can deal with you and your matter effectively and in accordance with our statutory requirements.

Additional privacy information and resources

General privacy

Health-specific privacy

Last updated: 22 May 2026