The IP Act defines personal information for both the IP Act and Right to Information Act 2009 (Queensland) (RTI Act) as:

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion—

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Common examples of personal information include an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details, and commentary or opinions made by or about the individual. Generally, the presence of an individual’s name in a document is sufficient to make it personal information.

Personal information also includes sensitive information, which is a specific category of personal information defined in Schedule 5 of the IP Act. Sensitive information is information or an opinion about an individual’s:

• racial or ethnic origin
• political opinions
• membership of a political association
• religious beliefs or affiliations
• philosophical beliefs
• membership of a professional or trade association
• membership of a trade union
• sexual orientation or practices
• criminal record
• health information
• genetic information that is not otherwise health information
• biometric information that is to be used for the purpose of automated biometric verification or biometric identification
• biometric templates.

The RTA administers the Residential Tenancies and Rooming Accommodation Act 2008 (the RTRA Act).

The RTA operates within the confines of other legislation governing public sector organisations, including:

• Right to Information Act 2009 (RTI Act).
• Information Privacy Act 2009 (IP Act).
• Information and Other Legislation Amendment Act 2023 (IPOLA Act).
• Financial Accountability Act 2009.
• Auditor General Act 2009.
• Public Records Act 2002.
• Housing Legislation Amendment Act 2021.
• Residential Tenancies and Rooming Accommodation Regulation 2009.

The RTA is also subject to other legislation which may legally require the RTA to provide information to external organisations on request, such as the Queensland and Federal Police Services and Office of State Revenue.

The RTA collects, stores, uses and discloses personal information in the following ways.

3.1 Personal information about employees including former and prospective employees

This is required for human resource management functions carried out for prospective and current employees and Board members (as applicable). These functions include employee administration, payroll and leave details, performance management, training, staff selection and information required for reporting against public sector requirements such as target groups.

Types of information collected include: names, dates of birth, contact details (including email addresses), work and education histories, tax file numbers and bank account details, referee reports, photographs, internet and email usage, and relevant medical histories.

Collection is authorised under the RTRA Act and the IP Act, relevant legislation (such as taxation and financial administration requirements) and internal policies and procedures.

3.2 Personal information about customers

This is required for rental bond management services (bond lodgements, refunds and transfers), dispute resolution services, telephone information services and compliance and enforcement services.

Types of information collected include names and contact details (including physical and email addresses), rental bond amounts and payments, bank account details, rent payments, details of claims, details of disputes, tribunal outcomes, supporting evidence as required (such as management agreements), invoices and quotes.

Collection is authorised under the RTRA Act and the IP Act, relevant legislation (such as taxation and financial administration requirements) and internal policies and procedures. Specific provisions relate to conciliation conducted through the RTA's dispute resolution service, which protects the confidentiality of the conciliation process and prevents any information from being released about the process.

3.3 Personal information about suppliers

This information allows normal business processes to take place. Examples of information collected include names, contact details, addresses for payment, bank account details to allow for electronic payment of accounts and Quality Management processes to monitor Rental Bond Direct Credit and Email Notification Statement of Agreement and ensure business processes are aligned.

Collection is authorised under the RTRA Act and the IP Act, relevant legislation (such as taxation and financial administration requirements) and internal policies and procedures.

3.4 Other personal information

This is collected in the process of fulfilling other RTA activities, like statistical research, community education activities, policy work and corporate communications. Examples of information collected include names and addresses of customers to receive information from the RTA, email addresses, generic information to provide statistics and analysis of the industry, opinions (such as customer feedback) and photographs for use in publications and displays. No personal details are released to external organisations for unsolicited mailing lists.

The RTA has contracts with suppliers external to the RTA to deliver services on behalf of the RTA. For example, outsourcing to a mail house to generate and post receipts for rental bonds and Notices of claim, to receive general RTA mail, and outsourcing to distribute RTA forms.

Any third-party organisations and suppliers which have been, or will be, contracted to perform services on behalf of the RTA will be required to be bound by the same privacy principles to which the RTA adheres under the terms of their contract with the RTA.

The RTA does not maintain any public registers.

RTA employees are made aware of their responsibilities to uphold privacy requirements and to comply with the requirements of the IP Act and related guidelines through mandatory training sessions and changes to documented procedures and policies. The QPPs set the rules for how the RTA must deal with personal information. Further information regarding each QPP is detailed below.

QPP 1 - Open and transparent management of personal information: 

Requires the RTA to manage personal information in an open and transparent way. Requires a clear, up-to-date and accessible QPP privacy policy (i.e. this Privacy Plan), and practices and procedures to ensure QPP compliance.

QPP 2 – Anonymity and pseudonymity: 

Requires the RTA to allow individuals the option of not identifying themselves (i.e. to deal with the agency anonymously or pseudonymously) unless it is:

• required or authorised under law
• impracticable.

QPP 3 - Collection of solicited personal information: 

Provides that the RTA:

• can only collect personal information that is reasonably necessary for, or directly related to, one of their functions or activities
• must collect it lawfully and fairly
• must collect it from the individual unless an exemption applies (including consent, lawful authority/requirement and law enforcement), or it is unreasonable or impracticable to do so.

Higher standards apply to the collection of sensitive information.

RTA service areas periodically review all forms and monitor processes for requests to collect information from customers or employees to ensure that notification requirements (as per QPP 5) are met, and authorisation for further disclosures is covered where necessary to the operation of the RTA service.

Employees in service areas that collect personal information by telephone (such as the Contact Centre and Dispute Resolution services) will notify customers that their personal information is being collected by the RTA for the purposes of fulfilling its functions under the RTRA Act and will obtain consent to further disclosure, where necessary.

Letters confirming notification and consent can be forwarded to customers following telephone contact, if required. Where telephone conversations are monitored by recording for quality control, training or supervision purposes, customers are advised of this at the outset of the conversation, such as through the messages-on-hold service.

QPP 4 - Dealing with unsolicited personal information: 

Requires the RTA to assess unsolicited personal information to determine whether they could have collected it under QPP 3 and/or whether it is a public record. If not, the RTA may be required to destroy or de-identify unsolicited personal information, subject to public record laws. Otherwise, QPPs 5 to 13 apply.

QPP 5 — Notification of the collection of personal information: 

Requires the RTA to take reasonable steps to make sure individuals are aware of the matters listed in QPP 5 including the RTA’s contact details, the facts and circumstances of the collection if collected from someone other than the individual and the consequences if the information is not collected. This applies when personal information is collected from an individual or from a third party.

QPP 6 — Use or disclosure of personal information: 

The RTA can only use or disclose personal information for the reason it was collected, unless QPP 6 allows it to be used or disclosed for a secondary purpose. These include instances where:

• the individual has consented to the use or disclosure of the information
• the individual would reasonably expect the agency to use or disclose the information for the secondary purpose (subject to limitations)
• it is required or authorised by law or reasonably necessary for law enforcement activities
• permitted general situations such as lessening or preventing a serious threat or locating a missing person (set out in schedule 4, part 1 of the IP Act) and permitted health situations (set out in schedule 4, part 2 of the IP Act).

Where information is stored in a computerised database, service areas ensure that appropriate descriptions are used to avoid errors or misinterpretation of data and standards are adopted which allow consistent transfer of information between areas within the RTA.

Standards have been adopted, in relation to the functions and purposes of each service area to ensure personal information is used only for the authorised purposes for which it was collected. Authorised purposes include the delivery of rental bond services, dispute resolution, compliance and enforcement, research, quality assurance, community education and information services. Information may be used internally to improve service delivery and to directly target customers, for example information and education campaigns, to research emerging issues in the rental sector and to establish client satisfaction levels with RTA services.

Taking part in RTA customer surveys

At times, the RTA may ask you if you wish to complete a survey questionnaire to provide feedback on the RTA’s services. Taking part in the survey is entirely voluntary and you can decline to participate. At times, the RTA may use web-based survey programs and sometimes their servers may be overseas (i.e. cloud based computing) and in these situations, the RTA complies with the IP Act when any personal information is transferred to a third party outside Australia.

The IP Act allows the transfer of personal information outside Australia only in certain circumstances including (a) where the third party (recipient) is subject to similar privacy obligations as the RTA; and (b) the transfer of personal information is necessary for the RTA to perform its functions. The RTA complies with these requirements when it sends survey questionnaires seeking feedback to improve its advisory services to customers.

Conduct of research projects

Where information is to be used for research purposes by the RTA, customers will be contacted by the RTA and asked whether or not they want to participate in identified research projects and will be given the opportunity to opt out of the research group if desired.

Social media platforms

The RTA uses Instagram, YouTube and LinkedIn to communicate with the public about its work and to raise awareness of the RTI and IP Acts. When individuals communicate with RTA via these social media platforms, we collect any personal information you provide when you communicate with us.

Instagram, YouTube and LinkedIn each have their own privacy policies.

Disclosure

• Service areas have written procedures to cover the main kinds of personal information employees can be expected to disclose and identified the authority for such disclosures. Employees who are in frequent contact with RTA customers are given additional training in the application of the QPPs to disclosure in the context of their service area functions.
• Information disclosed by the RTA or any of its service areas for research purposes generally will not contain personally identifying information. In instances where customers are to be contacted by a contracted external research company, the RTA will send out a communication providing customers with the opportunity to "opt out" of the selection pool.
• The RTA abides by Queensland Government protocols for the disclosure of personal information where it is necessary to fulfil its functions in responding to requests for information to support Ministerial correspondence (for example, responses to constituents) and engagement with members of the community.

QPP 10 — Quality of personal information
Requires the RTA to take reasonable steps to ensure the personal information:

• collected, used or disclosed is accurate, up to date and complete
• for use or disclosure is relevant to the purpose of the use or disclosure.

QPP 11 — Security of personal information
Requires the RTA to take reasonable steps to protect the personal information it holds from:

• misuse, interference or loss
• unauthorised access, modification or disclosure.

The RTA has policies regarding information storage and will further develop and review separate policies for storage of electronic and paper information to safeguard information in line with the RTA's and whole-of-government policies.

Requires the RTA to take reasonable steps to destroy or deidentify personal information that is no longer needed for any purpose and is not a public record or otherwise required to be retained under law or court or tribunal order.

QPP 12 and QPP 13 — Access to and correction of personal information
Requires the RTA to give access to and correct personal information they hold, subject to limitations.

The RTA’s Administrative Access Scheme allows customers to access their personal information and request amendments to be made. This is detailed in sections 7 and 9 of this plan.

Customers have the right to access and amend their own personal information in accordance with QPP 12 of the IP Act.

Requesting access to personal information can be made either under the RTA’s Administrative Access Scheme or formally under the RTI Act.

The RTA’s Administrative Access Scheme is an easier and quicker process than the formal Right to Information application process. In most cases, the scheme is used for applicants who require access to their own personal information. Further information regarding this scheme can be found on the RTA's Administrative Access Scheme webpage.

To make an application to access personal information held by the RTA under the Information RTI Act, customers are to provide a written notice:

• containing your address and ideally your contact details so that we can discuss your request
• containing details of what information you require
• containing acceptable proof of identity
• marking your request to the attention of the Privacy Officer.

Requests may be lodged using the application form available from our office or downloaded from the website:

• in person at level 11, Midtown Centre, 150 Mary Street, Brisbane between 8.30am - 5pm Monday to Friday (excluding public holidays)
• by posting to GPO Box 390, Brisbane Q 4001
• by email to rta.enquiries@rta.qld.gov.au.

There is no charge to lodge a request for your own personal information. Information will only be provided to an applicant when RTA has received evidence of identity.

The RTA controls access, use and disclosure of personal information through a variety of mechanisms including physical, electronic and system security controls and by providing its staff with training.

The RTA is committed to protecting the personal information that it holds and will not release an individual's personal information to any other person or agency unless authorised under QPP 6.

Such circumstances where personal information may be disclosed under QPP6 include:

• Where consent has been provided by the person that the personal information relates. Commonly this will be through a consent notice or instruction, such as a letter of authority or power of attorney.
• The RTA provides a QPP5 Privacy Collection Notice whenever personal information is collected to advise how personal information will be handled and if it will be disclosed by consent or as required by law.
• Where the RTA wishes to conduct a survey seeking feedback from its customers to improve its services.
• If it is authorised under a law, such as the Income Tax Assessment Act 1936 & 1997, Social Security Act 1991, etc.
• Where it is necessary for law enforcement purposes, such as by the Queensland or Federal Police, ASIO, etc.
• If the RTA believes that it is required to prevent a serious threat to an individual’s life, safety or welfare or public health, safety of welfare.
• Where there is a very strong public interest in using the information for research, analysis, or compilation of statistics.

There may be cases where someone involved in a bond or dispute requests information about another party involved in the bond or dispute. Unless the other party has provided consent, the RTA will only disclose non-personal information and will mask, delete, or blank out the personal information of the other party. The RTA does not provide any information to other agencies for direct or commercial marketing purposes unless consent has been provided.

Where a third party is acting on behalf of the RTA, the third-party organisation will be required to comply with the QPPs under the terms of its contact with the RTA.

Letters of Authority and Powers of Attorney

Parties should seek independent legal advice about letters of authority and powers of attorney. The RTA cannot provide guidelines for how to complete these documents, and we do not have forms or templates that can be utilised.

Letter of Authority 

A Letter of Authority (LoA) is a signed letter from a customer, instructing the RTA to deal with another person on their behalf.

A LoA should be sent to bonds@rta.qld.gov.au with a reference number, such as a bond number and/or client ID number, and include the following:

• The customers full name and contact details.
• The representative’s full name and their contact details. For an organisation, the Letter of Authority should be on the organisation's name on an official letterhead with the authorised officer's name, position, and contact details.
• Be signed by both the customer and their proposed representative.
• Include a copy of the customer’s photo ID (ID is not required for their representative) which is current (no more than six months old) include the scope of the authorisation. For example, the wording should state the customer 'authorises the RTA to release information to' the third party rather than simply claiming they have authority to act on behalf of the other person. If no details are specified, the RTA may make further contact to establish the scope of the authorised party’s authority. 

Power of Attorney

A Power of Attorney (PoA) is a legal document giving another person the authority to make personal and/or financial decisions on behalf of the customer. A PoA can be cancelled at any time. 

There are two types of Powers of Attorney (PoA):

1. A General Power of Attorney and
2. An Enduring Power of Attorney.

A copy of the PoA or, in the case of the Public Trustee, a Certificate of Authority should be sent to bonds@rta.qld.gov.au. The email should include a reference number, such as a bond number and/or client ID number. A copy of the customer’s photo ID, which is current (no more than 6 months old), must be included.

Parties should contact the Department of Justice or seek independent legal advice for more information. 

Accepted Photo ID 

Photo ID is required to verify the identity of the customer to mitigate privacy risks. Photo ID’s will be saved on the relevant customer’s record and stored in accordance with the Public Records Act 2023 and the IP Act. 

A valid photo ID may be scanned or photographed and emailed to the RTA. Any of the following forms of photo ID are acceptable:

• Australian driver licence or learner permit.
• Australian or International passport.
• An 18+ or proof of age card. 

If there has been a court or tribunal order appointing the Public Trustee, the Certificate of Authority must also be provided.

Applicants may request amendment to their personal information if they believe the information is inaccurate, and, given the purpose of the information, irrelevant, incomplete, out-of-date or misleading.

If it is decided to amend the information, the amendment may be carried out by making a correction, deletion or addition to the information.

Before making a formal application for an amendment of personal information, contact the RTA as the RTA may be prepared to correct the information without the need of a formal application. A formal application for amendment must:

• be in writing
• contain your address and ideally your contact details so that we can discuss your request if necessary
• contain details of the information you believe to be inaccurate, irrelevant, incomplete, out-of-date or misleading
• specify the amendments required
• contain acceptable proof of identity
• be addressed to the attention of the Privacy Officer.

Acceptable proof of identity is outlined on the OIC website – Evidence of identity and authority.

Requests may be lodged using the application form available from our office or downloaded from the website. Submit a request:

• in person at level 11, Midtown Centre, 150 Mary Street, Brisbane between 8.30am - 5pm Monday to Friday (excluding public holidays)
• via post to GPO Box 390, Brisbane Q 4001
• via email to rta.enquiries@rta.qld.gov.au.

Any individual that is dissatisfied with a privacy access or amendment decision may make a written request for an internal review except where the decision has been made by the Chief Executive Officer of the RTA. An internal review request may only be made:

• by an individual
• about a decision made by the RTA or a third party acting on behalf of the RTA
• about the personal information of the individual making the complaint
• where the complainant believes that the RTA decision does not comply with the QPPs or the IP Act
• within 20 business days after the decision was made.

Requests may be lodged:

• in person at level 11, Midtown Centre, 150 Mary Street, Brisbane between 8.30am - 5pm Monday to Friday (excluding public holidays)
• via post to GPO Box 390, Brisbane Q 4001.
• via email to privacy@rta.qld.gov.au.

The RTA is required to make a decision in regard to an internal review request within 20 business days (and any additional periods in certain circumstances) from the date a valid application is made, and inform the complainant of the decision in writing including any further appeal (external review) rights.

The internal review will be undertaken by a person more senior than the original decision maker and will consider the original access or amendment application as if it were a fresh application.

Should an applicant remain aggrieved by a privacy access or amendment decision after internal review they may seek external review through the Office of the Information Commissioner (OIC). Refer to the OIC website for further information.

If you believe that the RTA has breached the QPPs of the IP Act you can make a complaint via RTA’s complaints management process. You must make your privacy complaint to the RTA within 12 months of becoming aware that there may have been a breach of the rules in the IP Act.

The RTA has at least 45 business days to respond to your complaint and we may seek extra time. If the complaint is not resolved to your satisfaction or the RTA has not given you a response in time, you can take your complaint to the Office of the Information Commissioner. The Office of the Information Commissioner will handle the complaint in accordance with its Privacy Complaint Handling Policy.

The RTA is required to undertake specific actions when we know or reasonably suspect a data breach. These actions include:

• Containing the data breach and mitigate harm.
• Determining if the breach is an eligible data breach, and if so:
  • notify the OIC of a Mandatory Notification of Data Breach (MNDB)
  • notify affected individual.
• Publishing a Data breach policy about how data breaches will be managed.
• Maintaining an internal register of eligible data breaches.

An eligible data breach under the MNDB scheme applies when:

• There is unauthorised access to, or unauthorised disclosure of, personal information held by the RTA, or there is a loss of personal information held by the RTA in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.
• The unauthorised access to, or disclosure of the information is likely to result in serious harm to an individual to whom the personal information relates (an ‘affected individual’).

Serious harm means serious physical, psychological, emotional, or financial harm to the individual because of the access or disclosure or serious harm to the individual’s reputation because of the access or disclosure.

Other types of harm may also meet the serious threshold. This is not an exhaustive definition and includes any real and substantial detrimental effect to an individual. The effect on an individual must be more than irritation, annoyance or inconvenience.

Factors that the RTA must consider:

• The kind of personal information accessed, disclosed or lost.
• The sensitivity of the personal information.
• Whether the personal information is protected by one or more security measures and the likelihood that any of those measures could be overcome.
• The kind of person/s who have or could obtain the personal information.
• The nature of the harm likely to result from the breach.
• Any other relevant matter.​

Examples of an eligible data breach include:

Cyber-attack where banking details were accessed

• Identity theft occurs.
• Financial loss.
• Credit rating impact.
• Emotional or psychologic harms.

Address disclosure to ex-partner (in a domestic and family violence context)

• Risk to personal safety.
• Emotional distress.
• Financial loss.
• Further DV – Personal injury.

Sensitive medical records shared with employer 

• The person is unsuccessful in securing employment or misses out on career opportunities.
• Emotional distress.
• Reputational damage​​.