Restricted applications, products and web services policy
Purpose
The Queensland Government is committed to protecting information and minimising security risks associated with the use of information communication and technology (ICT) software, services, facilities and devices. This policy states the Queensland Government’s position on restricted applications, products and web services.
Policy statement
The Queensland Government prohibits the access, use or installation of restricted products, applications and web services (see the Restrictions List) on any government provided information and communication technology (ICT) services, facilities and devices.
The Queensland Government strongly recommends owners of BYOD devices do not access, use or install restricted products, applications and web services (see the Restrictions List) on devices that are used to access Queensland Government applications and services. This includes but is not limited to smartphones, tablets, laptops and desktops.
Policy benefits
This policy helps departments to manage the risks associated with use of the restricted products, applications and web services.
This policy is consistent with Australian Government policy and Protective Security Directions where applicable (see the Restrictions List for alignment).
Applicability
This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). This policy also applies to accountable officers (not already in scope of the Public Sector Act 2022) and statutory bodies under the Financial and Performance Management Standard 2019 in the context of internal controls, financial information management systems and risk management.
Other Queensland public sector entities including councils and government-owned corporations are strongly encouraged to follow this guidance voluntarily.
Please see How to apply the QGEA for further information.
Policy requirements
Policy requirement 1:
Agencies must identify and remove all existing instances of restricted products, applications and web services on the Restrictions List on all Queensland Government systems.
Policy requirement 2:
Agencies must prevent the access, use or installation of restricted products, applications and web services on the Restrictions List on all Queensland Government systems and devices.
Advice
The Queensland Government Information security classification framework (QGISCF) details how Queensland Government agencies undertake information security classification of their information assets and holdings. Conducting a business impact level assessment and determining the security classification can assist agencies to understand the information’s importance and assess damage that could be caused if the information was compromised.
There may be circumstances where a restricted product, application or web service has a legitimate business use. In these cases, a risk assessment and management plan must first be completed in consultation with the agency Chief Information Security Officer (or equivalent) and authorised by the Agency Accountable Officer.
Agencies should also strengthen supply chain risk management arrangements to accommodate emerging technology risks, including transparency measures to minimise the introduction of additional risks in the supply chain. This could include consideration of
- enhanced cybersecurity measures and risk assessments, particularly for higher criticality assets
- enhanced data governance and privacy protocols
- supplier diversification
- scenario planning and simulation to respond to sudden changes.
Agencies can use capabilities of their fleet management platforms to identity, remove and prevent future installation of restricted applications on Queensland Government devices. Gateway and internet filtering products can be configured to restrict access to any restricted web services. Agencies should consider the risks associated with Restricted List software on personal devices with access to government information and services.
Specific technical advice to assist Government agencies in the implementation of this policy is provided under Technical Advice. This guidance is only accessible to Government employees.
Implementation
This policy comes into effect from the issue date. Individual restrictions apply from the specified date for a product, application or web service in the Restrictions List.
Restrictions List
The following products, applications and web services, have been identified as posing an unacceptable risk to Queensland Government, networks and data and are therefore restricted for use:
| Name | Commonwealth alignment | Effective date | |
|---|---|---|---|
| RL-01 | TikTok | April 2023 | |
| RL-02 | DeepSeek | Direction 001-2025 | February 2025 |
| RL-03 | Kaspersky Lab, Inc. | Direction 002-2025 | April 2025 |
Technical Advice
The following links provide additional guidance to assist Government agencies in the implementation of this policy. This guidance is only accessible to Government employees.
| Name | Technical Advice | |
|---|---|---|
| RL-02 | DeepSeek |