Privacy Impact Assessment Requirements - Brisbane

This guide explains Privacy Impact Assessment (PIA) expectations for projects and systems managed by Brisbane City Council and related public services in Brisbane, Queensland. It summarises where PIAs are referenced in council guidance, who enforces privacy obligations locally, how to prepare a PIA, complaint and appeal pathways, and practical action steps for project teams and vendors working with council-held personal information. Use the cited official pages to confirm forms, contact points and any limits that apply to your project before you start a procurement or data-sharing arrangement.

What a Privacy Impact Assessment covers

A PIA evaluates how a project, system or service will collect, hold, use, disclose and dispose of personal information, and recommends controls to reduce privacy risks to individuals and the council. Typical topics include lawful basis, data minimisation, storage and retention, access controls, third-party disclosures and data breach preparedness.

When a PIA is required

• New ICT systems, major vendor integrations or projects that handle sensitive personal data usually trigger PIA consideration by the council.
• Procurements or contracts that involve ongoing personal data processing often require a PIA as part of tender submissions.
• Significant changes to existing information-handling practices or cloud migrations may require a refreshed PIA.

Penalties & Enforcement

Brisbane City Council implements privacy controls through its governance and privacy functions and accepts complaints about council-held information. Specific fines and penalty figures for council PIA non-compliance are not specified on the cited council page.^[1]

• Monetary fines: not specified on the cited page for council-level PIA breaches; statutory privacy penalties may apply under Queensland law and are set on relevant state instruments.^[2]
• Escalation: first, repeat and continuing-offence ranges are not specified on the cited council page; escalation typically follows complaint investigation and internal remediation steps.
• Non-monetary sanctions: orders to rectify practices, mandatory remediation, requirement to destroy or return data, and referral to state oversight bodies or courts are possible remedies (specific powers not specified on the cited page).
• Enforcer: Brisbane City Council's Privacy Officer and Governance teams handle local complaints and compliance. For external review, the Office of the Information Commissioner (Queensland) provides oversight for privacy matters in Queensland public sector agencies.^[1]
• Inspection and complaint pathways: lodge a privacy complaint with Brisbane City Council via the official contact/complaint channels, or escalate to the Office of the Information Commissioner; see official contact pages for submission details.^[3]
• Appeals and review: appeal routes and statutory time limits are not specified on the cited council page; refer to the council and OIC guidance for procedural time limits and review options.^[2]

Applications & Forms

The council does not publish a specific, mandatory PIA form on the cited council guidance page; where a form or template is required, the council or the procuring business area will supply the document or reference an approved template.^[1]

Preparing a PIA for Brisbane projects

Prepare a proportionate PIA: document purpose, data flows, lawful bases, risk assessment, mitigation measures and residual risks. Integrate privacy-by-design controls into procurement and contracts, and ensure third parties provide information security and privacy assurances.

• Identify data elements and classify sensitivity.
• Record technical and organisational controls (encryption, access controls, logging).
• Attach vendor privacy policies and data-processing clauses to contracts.
• Document retention and secure disposal schedules.

How-To

1. Nominate a project privacy lead and check council privacy guidance and project governance requirements.
2. Map personal data flows and record purposes and lawful bases for each processing activity.
3. Assess privacy risks, identify mitigations and document residual risk in the PIA report.
4. Obtain approval from the council governance or privacy contact and file the PIA with project records prior to go-live.
5. Review the PIA after 6–12 months or after any major change to processing or systems.

FAQ

Who must complete a PIA for council projects?

Project leads or procuring teams handling personal information should complete a PIA or seek council guidance to confirm if a PIA is required.

Where do I lodge a privacy complaint about council handling of personal information?

Lodge a complaint with Brisbane City Council's privacy contact; if unresolved, you may escalate to the Office of the Information Commissioner (Queensland).

Key Takeaways

• Assess privacy risk early in project planning.
• Document PIA findings and attach them to procurement records.
• Contact council Privacy Officer for advice before implementation.

Help and Support / Resources

• Brisbane City Council - Privacy, Right to Information and Governance
• Brisbane City Council - Contact and Complaints
• Office of the Information Commissioner Queensland (privacy guidance)
• Brisbane City Council - Planning, Building and Development

1. [1] City of Brisbane - Privacy, Right to Information and Governance
2. [2] Office of the Information Commissioner Queensland - Privacy guidance
3. [3] City of Brisbane - Contact and Complaints