Queensland Health Privacy Policy

This Privacy Policy details how we manage personal information at Queensland Health.

On this page

Our approach to handling information

Queensland Health collects and manages personal information to provide health and well-being services for Queenslanders. We also collect personal information to administer our other functions, such as employee management, health sector research and public policy development.

Hospital and Health Services are not covered by this policy.

Each Hospital and Health Service (HHS) has its own Privacy Policy. You can access HHS Privacy Policies by following links on the About Hospital and Health Services page. If you cannot locate a Privacy Policy for a HHS online, contact the relevant HHS and request they provide you with a copy.

We are committed to handling your personal information with care, and in accordance with privacy law. Our privacy commitment to you is set out in our Privacy Charter.

We apply the Queensland Information Privacy Act 2009 (Qld) that includes health-specific privacy principles (known as the ‘NPPs’). The NPPs guide how we collect and manage personal information, including health information.

Our approach to privacy includes meeting confidentiality requirements of the Hospital and Health Boards Act 2011 (Qld), and other Queensland laws that relate to managing your information.

Information about you

At Queensland Health, we describe information about you using three terms:

  1. personal information
  2. sensitive information
  3. confidential information.

The laws that apply to us use these terms.

Personal information

Personal information is defined by the Information Privacy Act 2009. Put simply, it is information that identifies a living person (or could lead to them being identified).

Sensitive information

Sensitive information is a subset of personal information. Sensitive information includes health information and other information such as race, ethnicity, religious beliefs, sexual preferences or practices and criminal records. We take additional care in our collection and handling of sensitive information.

Confidential information

Confidential information is information about a person who is receiving or has received a public health service. Confidential information includes care and treatment information.

Unlike personal information, which is only about a living person, confidential information can be about a living or deceased person.

Queensland laws set out requirements for how we handle confidential information.

These laws include:

To keep things simple, we use the term personal information in this Privacy Policy.

This diagram helps to illustrate the categories of personal information (PDF 279 kB) . The sections the follow describe the personal information we collect at Queensland Health, why we collect it and what we do with it.

Why we collect personal information

We collect personal information to provide health and wellbeing services to you, and to fulfil our other functions. Specifically, we collect personal information for the following.

We may use your personal information to provide you with our services to improve your health and well-being.

We may use your personal information to provide you with treatment and follow-up care that is appropriate for your needs.

We may use your personal information to make decisions about your applications for our services or benefits.

When you communicate with us via our website (www.health.qld.gov.au), your correspondence is treated as a public record. We keep your correspondence for as long as required by the Public Records Act 2002 (Qld) and other relevant laws. Your personal information included in the communication will never be shared with others unless you give us permission. Queensland Health does not reply to all communication received via our website. Communication may be forwarded to relevant business areas within Queensland Health or to an appropriate Hospital and Health Service.

We may use personal information for research to help us to improve Queensland healthcare practices. All research must meet ethical requirements and be authorised by the chief executive.

When you visit certain hospitals, your nurse or doctor may ask for your permission to use and disclose your health information for GIFTR research. This information may include: o medical and personal information in your heath record (such as mental health, behavioural health, sexual health, and drug use) o notes from doctors o test results (including x-rays and blood) o genetic information If you give permission, your information will only be used for GIFTR research. Your personal information involved in the research will never be made public. If you do not agree, your information will not be used for GIFTR research. Your decision will not affect your treatment of care. For more information regarding GIFTR, email GIFTR@health.qld.gov.au

We may ask you to take part in online surveys that appear on our website. The surveys, for example, may relate to health issues such as smoking. These surveys are voluntary, and you can often remain anonymous. If you would like to participate, you may be asked to agree to certain Terms and Conditions about the use and/or disclosure of your information. We sometimes conduct surveys using online platforms provided by external service providers. These providers may store information outside of Australia.

If you are a Queensland Health staff member, we will use your personal information to manage your employment and make payments to you.

Queensland Health may use your personal information to process your request to access or correct your own personal information. We provide more information on how you can request access to, or correction of, your personal information.

We may use your personal information to process requests to access other Queensland Health information. To find out more, you can visit our Right to Information request page.

We may use your personal information to investigate your privacy enquiry or complaint, and to communicate with you about your enquiry or complaint. We set out further information about how to make a privacy enquiry or complaint with us.

No attempt is, or will be, made to identify users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect activity logs.

We use Google Analytics (including display advertising features) on our website to gather anonymous information about visitors to our website. When you visit our web pages, your browser automatically sends anonymous information to Google. Examples of the information include the web address of the page that you’re visiting, your IP address and demographic information. Google may also use cookies.

We use this data to analyse the pages that are visited, to improve your experience and make sure our website is useful.

Read more about:

Queensland Health will only use your personal information for the purpose(s) that it was collected for, unless we have a lawful requirement or authority to use it for another purpose. Some circumstances where we may be lawfully required or authorised to use or disclose your personal information for another purpose, may include:

What we collect

Information we collect depends on the service or function we need it for. We take care to ask you only for what is necessary.

Some examples of the information we collect are:

Website visitors

Community

Employees/prospective employees/contractors

You can also visit the Queensland Health Information Asset Register for more information about the types of personal information collected and held by Queensland Health.

When we collect personal information

We may collect personal information directly from you or from someone else, such as your local doctor or a relative in an emergency situation.

We collect personal information when you:

When we ask you for your personal information, we will provide you with a notice to explain what personal information we need and why. This is called a ‘Privacy Notice’. We may provide you with a written or spoken Privacy Notice. For example, when you fill out a form that asks for your personal information, it will contain a Privacy Notice that explains why we need your information.

How personal information is shared

There may be times when we share your personal information. When we share your information, we do so in accordance with privacy law.

We may share your personal information with:

Queensland Health will not otherwise give your personal information to other government agencies, organisations or anyone else unless:

How personal information is managed

Queensland Health ensures the accuracy of the personal information we hold and keeps it secure through its lifecycle. In addition to the NPPs, we also apply Information Standard 18 of the Queensland Government Information Security Classification Framework.

Our contracted service providers also observe strict personal information management requirements.

Accuracy

Before we use your personal information, we may check with you to make sure it is accurate, complete and up to date. If you think we hold personal information about you that is inaccurate or out of date, please contact us. Find out more about correcting your personal information.

Security

Queensland Health securely handles and destroys personal information. To do this we have a range of information security practices that align with the Queensland Government information security standard. This includes, for example, only allowing certain staff to access your information, using a login and password.

Protection of personal information from unauthorised access and disclosure is a priority for us. Any concerns about the security of your personal information held by Queensland Health should be reported.

Contact the Queensland Health Principal Privacy Officer via email: rti-privacy@health.qld.gov.au

Microsoft 365

Microsoft 365 is a set of cloud-based productivity tools and integrated cloud services. Microsoft 365’s commonly used featured platforms for collaborative work include (but not limited to):

Queensland Health uses these platforms in a manner consistent with our responsibilities and obligations under the Information Privacy Act 2009 (Qld), Right to Information Act 2009 (Qld) and Public Records Act 2002; and the Queensland Government Customer and Digital Group Collaboration platform (Microsoft Teams) guideline.

Collection by Microsoft when using Microsoft 365

Microsoft may collect your personal information as a result of using Microsoft 365 services and applications. Microsoft’s privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.

Service providers

Queensland Health uses contracted service providers to provide particular services and functions of Queensland Health. Some examples include:

To provide these services and functions, service providers may collect and use personal information on our behalf. Queensland Health still controls and is responsible for the information. Queensland Health ensures that service providers meet our privacy and confidentiality requirements. We do this by entering into a contract or service agreement with them that includes privacy and confidentiality clauses.

Storage

Queensland Health stores personal information that we collect in both electronic and analogue formats; that is, we use paper-based and electronic storage systems. The privacy rules apply, irrespective of how we store personal information.

For electronically held and managed personal information, we use Australian/Queensland data centres and back-up systems wherever possible. Where personal information must be stored in an overseas location, we take care to ensure that privacy and security controls are in place (e.g. through strict contractual requirements and avoiding storage locations where privacy rules appear insufficient).

Retention

Queensland Health will keep your personal information for the minimum period of time as required in a retention and disposal schedule approved by the Queensland State Archivist. The minimum retention period varies between classes of records according to the purpose and use of the records.

Once the minimum retention period has been met, records (including any personal information associated with the records) are securely destroyed using disposal methods appropriate for the type of format and security classification of the records.

The following retention and disposal schedules document the minimum retention periods for records maintained by Queensland Health:

Social media

Queensland Health maintains a number of social media accounts for the purpose of pushing out information about:

Please be aware that personal information given to us or posted on any social media site becomes captured by that social media platform’s privacy policy. You may instead choose to contact us directly.

For information regarding Queensland Health social networking services, email socialmedia@health.qld.gov.au.

Monitoring of buildings

CCTV cameras

Some Queensland Health locations are equipped with Closed Circuit Television (CCTV) cameras. These are used to monitor safety and accessibility, as well as to deter (and capture evidence of) unlawful behaviour.

The CCTV cameras are owned and controlled by the Department of Housing and Public Works (DPW) as part of their whole of government services. The footage from the cameras is generally stored by DPW for 90 days before it is destroyed.

If you would like to enquire about the CCTV cameras, or you would like access to the footage, you can contact DPW via phone: (07) 3234 0777.

Secure check-in

Some Queensland Health buildings have a secure check-in facility for visitors, consultants and contractors attending our premises. This computerised check-in collects personal information, such as name and mobile phone number.

Secure check-in facilities are owned and controlled by DPW as part of their whole of government services. DPW is responsible for the management of any personal information provided.

For more information about the secure check-in facilities provided by DPW, contact DPW via phone: (07) 3234 0777.

How to access or correct your personal information

You have the right to:

  1. access personal information we hold about you
  2. correct your personal information, where you think that it is inaccurate, incomplete, or out-of-date.

If you would like to access or correct your personal information, we are generally able to do this for you. Please write to us, letting us know how we can contact you and:

Before we can give you access or correct your personal information, you will also need to verify your identity. This is to ensure that we don’t give your personal information to anyone else.

We provide detailed information on how to access and correct your personal information, and how to access other Queensland Health information, on our Right to Information request page.

The page includes a form that you can download and complete. Please submit your completed form to:

The Manager
Privacy and Right to Information Unit
Department of Health
GPO Box 48
Brisbane
Queensland 4001.

There may be times where we may not hold the personal information that you request (for example, where you request health records or CCTV footage of you). If we do not hold your personal information, we will direct you to the right agency.

How to make a privacy complaint

If you have a question about the Queensland Health Privacy Policy or a concern or complaint about how we handle personal information, please contact the Queensland Health Principal Privacy Officer on:

More information about submitting a privacy complaint is available our Privacy Complaints page.

Understanding and addressing privacy complaints is an important part of our service. If you are dissatisfied with our response to your complaint, you have a right to contact Queensland’s privacy regulator.

Additional privacy information and resources

General privacy

Health-specific privacy