Australia: Published IPOLA guidelines for Queensland government agencies on dealing with personal information and working with contractors

On 9 October 2024, the Queensland Office of the Information Commissioner published the Information Privacy and Other Legislation Amendment Act (IPOLA) guidelines for Queensland government agencies on dealing with personal information and working with contractors. The guidelines state that agencies must take reasonable steps to ensure that contractors comply with the Act, particularly when personal information is transferred or processed on behalf of the agency. These service arrangements don’t need to be formal contracts but must involve delivering services for the agency or a third party. Contractors are required to follow the Queensland Privacy Principles (QPPs), including rules on the use, disclosure, and overseas transfer of personal data. If the agency fails to bind the contractor to the IP Act, it may be liable for any privacy breaches, but once bound, contractors take responsibility for their compliance. Furthermore, the guidelines emphasise that subcontractors are not directly bound by the IP Act, and agencies must include appropriate privacy obligations in their agreements with the main contractor, holding them accountable for any privacy breaches caused by subcontractors.