Business Insight

Queensland’s IPOLA Guidelines - Privacy Self-Assessment Guide

By Clare Doneley

27 February 2025

Share Share
red dots pattern
Share
  1. What you need to know
  2. What you need to do

What you need to know

  • Queensland’s privacy law reforms take effect 1 July 2025.
  • Agencies must assess privacy practices and procedures, identify and address gaps and risks.
  • The OICQ’s Privacy Self-Assessment Guide outlines the key steps for conducting a self-assessment and we break down what that means.
  • Self-assessments help identify gaps, risks, and required improvements.

What you need to do

  • Plan your assessment: Identify impacted department and key privacy gaps and risks, including how it is mapped to your strategic plans.
  • Review data handling: Map personal information use and compliance gaps.
  • Review policy and procedures: Align policies practices with Queensland Privacy Principles (QPPs).
  • Manage risks: Establish a privacy risk matrix and improve governance.
  • Prepare for breaches: Implement response plans and compliance workflows.

On 4 December 2023, the Queensland Parliament assented to the Information Privacy and Other Legislation Amendment Act 2023 (Qld) (Act), with privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) expected to commence on 1 July 2025. You can read more about that here.

The Office of the Information Commissioner Queensland (OICQ) has released guidelines to support agencies to prepare for the changes to the IP Act. The Privacy Self-Assessment Guide, accessible here (the Guide), provides practical guidance to assist agencies to assess their privacy practices and procedures. The Privacy Self-Assessment is conceived of as an agency wide maturity assessment to identify gaps and risks, along with areas which require uplift and investment by the agency.

By conducting a self-assessment, agencies can proactively identify and address gaps or risks in their management of personal information, particular in the lead-up to the changes to the IP Act commencing. We know that it is no small feat to conduct such an assessment. This will require allocation of dedicated resources and time within the agency to properly conduct the review. This article provides a practical summary of the Guide, but agencies will benefit from tailoring the advice provided by the Guide to make sure that the steps they are taking are fit for purpose.
Agencies may approach this self-assessment by either:

  1. conducting a single assessment across the whole agency;
  2. assessing business units considered highest risk first, then moving to lower risk units; or
  3. conducting a pilot review in one unit first, to assess the effectiveness of the self-assessment.

The self-assessment may be conducted by either each individual business unit themselves, or alternatively, a separate business unit or the officer or team responsible for IP Act compliance could assess the business unit's compliance.

What should you do?

How can we help?

Develop an assessment plan

  • Describe the business units of the agency which are to be assessed.
  • Provide a brief description of their responsibilities and activities.
  • Identify the relevant Queensland Privacy Principles (QPPs) against which personal information practices will be assessed.
  • Set out the proposed schedule for the unit's assessment.
  • Attend sessions with your key stakeholders to gather information about how personal information is collected, used, disclosed and handled. Based on the information gathered in these sessions, an assessment and remediation plan can be formulated to develop (or enhance) the agency's privacy risk management framework.

Conduct a personal information inventory

  • Create a detailed inventory categorising the personal information the business unit collects, holds, uses or discloses.
  • The inventory should include the purposes of data collection, uses, disclosures, access, storage and dates of collection for retention/destruction purposes (refer to Queensland State Archives retention and disposal schedules to assist).
  • Provide input and legal advice based on key stakeholder sessions.
  • Identify and summarise key data retention and destruction obligations under Privacy Act, QPPs and applicable retention and disposal schedules.
  • Develop and implement a data remediation plan to ensure retention obligations are met across high-risk systems.

Conduct a policy and procedure inventory and review

  • Compile a list of polices, procedures, standards, work practices and legislation that relates to each business unit's handling of personal information.
  • Review policies and practices. Identify any misalignment with Privacy Act and QPPs.
  • Prepare QPP Privacy Policy in compliance with QPP 1.3 and 1.4.

Keep and review records of privacy complaints and breaches

  • Identify where privacy complaints are made, who is responsible for them, how they are recorded, and reported to senior leadership.
  • Review records of privacy complaints to ensure accuracy (if no records, gather information on complaints from last three years).
  • Assess complaints to identify compliance with mandatory notification of data breach scheme (i.e. obligation to publish data breach policy and have data breach register).
  • Assess any improvements to be made to complaint handling process.
  • Identify areas of common concern among customers.
  • Prepare data breach plan and policy as required by section 73 of the IP Act, and establish data breach and privacy complaint response workflows to ensure obligations are met (including a suitable register of eligible data breaches as required by section 72 of the IP Act).
  • Conduct simulated data breach exercises to assess responsiveness and suitability of policies and processes.
  • Advise on responsiveness of insurance policies to a data breach, including material gaps, any requirements around appointments of specialist advisors (legal, cyber).

Align your self-assessment with strategic plans (if any)

  • Your strategic plan should explicitly talk about privacy risks and the collection, use, storage, and destruction of personal information.
  • Collate individual unit plans for compliance with both the strategic plan.
  • Assist with the development of agency wide strategies to meet your regulatory obligations/risks.
  • Development of business cases to obtain funding or headcount to achieve your strategic goals.
  • Review internal and external messaging regarding strategic planning.

Develop a risk matrix (can refer to the risk matrix provided in Appendix 1 of Guide) to identify business units and workflows which pose the highest risk based on indicia such as:

  • the nature of information handled;
  • consequences of a breach;
  • trends in privacy complaints; and
  • emerging technology risks.
  • Guide the development of an appropriate privacy risk matrix.
  • Map business units and associated workflows to the risk matrix to create a consolidated overview of the agency's exposure to defined risk factors and the sources of these risks.
  • Establish key risk indicators and develop workflows to ensure accurate and consistent privacy risk reporting to the agency's leadership team.

 Prepare criteria for assessment drawing upon:

  • obligations in the IP Act and QPPs; and
  • questions in Appendix 2 of Guide which focus on accountability, collection, security, accuracy, openness, use and disclosure and complaint and breach review.
  • Create a consolidated, simplified overview of relevant privacy obligations to ensure relevant stakeholders understand applicable obligations.

Conduct assessment by:

  • conducting interviews with relevant business unit officers;
  • circulating hard copy or electronic surveys or questionnaires;
  • reviewing files and documents; and
  • direct observation or physical inspection.
  • Establish workflows to enable business units to undertake adequate risk assessments themselves.
  • Analyse outcome of assessments to identify outstanding risks and gaps, and provide comprehensive recommendations to remediate material risks.

Review outcome of assessment with business unit and take steps to address any identified privacy compliance issues.

  •  Review and uplift policies, standards and training, as needed.


Where an agency is more privacy literate, it may lean on another tool to assess privacy risk by agencies – a Privacy Impact Assessment (PIA). This differs from a Privacy Self-Assessment as these are often done on a per project basis. A PIA is a scalable tool that agencies can use to identify what personal or sensitive information will be involved in a project, the project's potential impact on an individual's privacy, whether the use of the information is in compliance with QPPs and section 33, and risk and mitigation strategies. While not explicitly required for every project, the OICQ strongly encourages PIAs as part of a privacy by design approach. The OICQ has released a PIA Report Template available here to help agencies fully consider business changes, either from upcoming projects or the changes needed to implement IPOLA reforms.

Conducting thorough privacy assessments is a critical step for agencies to ensure compliance with the upcoming privacy reforms. By following the steps outlined in this article and leveraging the guidance provided by the OICQ, agencies can proactively address privacy risks and enhance their data protection practices. For further assistance, agencies can consult with Ashurst and Ashurst Risk Advisory to develop and implement effective self-assessment plans tailored to their specific needs.

Want to know more?

  • Business Insight - New Queensland Privacy and RTI bill is here (19 October 2023)  
    On 30 November 2023, the Queensland Parliament passed the Information Privacy and Other Legislation Amendment Bill 2023 (Qld) (Bill) that will implement long awaited privacy reforms to the Information Privacy Act 2009 (Qld) (IP Act) and the Right to Information Act 2009 (Qld) (RTI Act) in Queensland. 

Other authors: Michael Turner, Executive; Alex White, Associate.

This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates(including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

This material is current as at 27 February 2025 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice.

The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

Key Contacts