As Artificial Intelligence (AI) becomes more advanced, its ability to streamline and automate processes has seen it become increasingly adopted across government to improve efficiency and service delivery. However, with privacy concerns surrounding the handling of customer data through external platforms, we asked the Minister for Customer Service and Open Data what measures are in place to ensure data is handled securely and that AI is implemented in a safe and responsible manner.

The minister has since provided the below response in italics, which outlines the compliance and security measures that the Queensland Government must follow in relation to AI usage and the handling of customer data, as well the appropriate avenues for residents to raise concerns if they believe their data has been mishandled.

Queensland Government agencies are required to comply with strict data and security policies to ensure that Personal Information is not stored or processed offshore in adherence with the Information Privacy Act 2009 (QLD). The Queensland Office of the Information Commissioner has published detailed guidance for agencies, including Privacy Impact Assessments and other relevant advice to help identify and mitigate offshore storage risks.

Queensland Government agencies are also required to ensure compliance with Queensland Government Enterprise Architecture policies, such as the Information Security Policy (IS18:2018) and the Information Security Classification Framework, which require agencies to classify information, apply security controls, and confirm data residency before procurement or deployment of ICT projects.

In addition, the Queensland Government has embedded guardrails in our Al platform to ensure compliance with Australia’s Al ethics principles, and security standards in line with the National Framework for the Assurance of Artificial Intelligence in government.

Monitoring of Al risks is supported by the Queensland Government Cyber Security Unit, which provides timely advice to government on emerging threats, such as the banning of Al tools like DeepSeek, that may pose security risks and providing best practice guidance to safeguard data collections held by the Queensland Government.

The Queensland Government has adopted ISO Standard 38507:2022 for Al governance as a mandatory policy to ensure that Al systems are managed responsibly and securely. Agencies and statutory authorities adopting Al are also guided by the Foundational Al Risk Assessment framework, which helps them evaluate and mitigate risks associated with Al deployment.

In addition, procurement guidelines are being updated to include baseline requirements for Al solutions procured by agencies to ensure compliance and alignment with Queensland Government values and ethical principles.

Transparency standards for Al use are set by each agency’s Al governance body. Most recently, the Queensland Auditor General has tabled a report to Parliament (Managing the ethical risks of artificial intelligence) on the responsible use of Al in the Queensland Government which recommended further expansion of existing policies to more clearly identify areas where Al is being used, and how it is governed. My department has committed to deliver a response to this recommendation by 30 June 2026.

In cases where residents believe data is mishandled by external platforms or Al systems, including privacy matters or data breaches, they can raise concerns through established complaint mechanisms including the Office of the Information Commissioner, the Queensland Human Rights Commission, or directly with the government agencies concerned.

Our office will continue to monitor the Minister’s commitment to respond to the Queensland Auditor-General’s recommendation to expand existing policies and provide clear definitions of where AI is being used and how it is governed.

Customer Data Complaints

As outlined in the minister’s response, please find below the appropriate channels for residents, who believe their data has been mishandled, to raise their concerns.

Complain directly to the agency

If you have concerns about how your personal information has been handled, your first step is to raise the issue directly with the agency involved. Each Queensland Government agency is required to have a process for managing privacy complaints and must provide a written response within a reasonable timeframe.

When making your complaint, include:

  • what occurred
  • when it occurred
  • how you believe your privacy or human rights were affected
  • any supporting documents
  • the outcome you are seeking.

The agency must consider your concerns and provide a response. If you do not receive a reply within the required timeframe, or you are not satisfied with the agency’s decision, you may then escalate your complaint to the appropriate oversight body, such as the Office of the Information Commissioner for privacy matters, or the Queensland Human Rights Commission for human rights matters.

Office of the Information Commissioner

Under the Information Privacy Act 2009 (IP Act), if you believe a Queensland Government agency has handled your personal information in a way that is not consistent with the privacy principles, you can make a privacy complaint.

Before lodging a complaint with the OIC, the IP Act requires you to first raise your complaint directly with the agency you believe has breached your privacy. The OIC website provides detailed information on privacy complaints, including who you can complain about and a step-by-step guide to making a complaint.

If the agency does not respond within 45 business days, or you are not satisfied with its response, you can make a written complaint to the OIC. More information is available at:
https://www.oic.qld.gov.au/about/privacy/make-a-privacy-complaint-2

Queensland Human Rights Commission

The Human Rights Act 2019 protects rights to privacy and reputation, including the collection and handling of personal information.

If you believe a public entity has not properly considered your human rights, you must first make a complaint directly to that agency. If you do not receive a response, or you are not satisfied with the outcome, you can then lodge a complaint with the Queensland Human Rights Commission.

You can lodge a complaint online at:
https://www.qhrc.qld.gov.au/complaints/lodge-your-complaint-online

Further information

To read the Information privacy Act 2009, visit https://www.legislation.qld.gov.au/view/html/inforce/current/act-2009-014

To review the Queensland Auditor General’s Managing the Ethical Risks of Artificial Intelligence Report, visit www.qao.qld.gov.au/reports-resources/reports-parliament/managing-ethical-risks-artificial-intelligence

Please find the State and Federal Government policies and procedures guiding the use of AI and data handling in government below: