Skip links and keyboard navigation

How to apply the QGEA

While the Queensland Government Enterprise Architecture (QGEA) generally only applies to departments as defined under the Public Sector Act 2022, some additional government bodies may be directed to comply or have specific QGEA documents that apply to them.

Find out how the QGEA might apply to you and your organisation or entity and get help implementing it.

Government bodies can be categorised into 3 groups. The QGEA applies differently to each of these groups.

Queensland Government departments

QGEA principles, strategies and policies apply to departments under the Public Sector Act 2022 (Qld). Where other government bodies use a service, application or technology owned by a department, that body must also apply the relevant policies applicable for that asset.

Directed government bodies (e.g. statutory bodies)

Unless explicitly noted within a broadly applicable QGEA policy, the applicability of QGEA principles, strategies, policies and information standards are at the discretion of your Director-General (DG) or Minister.

To confirm QGEA applicability, you need to submit a formal enquiry to your DG or Minister. Should your DG or Minister determine the QGEA applies to you, contact the Queensland Government Customer and Digital Group at qgea@qld.gov.au, including your Director-General or Minister's response.

Government bodies using departmental owned services and assets

Generally, where other government bodies use a service, application or technology owned by a department, that government body must also apply the relevant policies applicable for that asset.

For example, a Statutory Body may be using a department’s payroll and timekeeping solution. The department may have decided to implement 2 factor authentication, and other security related processes to align with security best practice. The Statutory Body  should also adhere to the practices and processes that the department has put in place to ensure the continued security of this asset.

Departments may choose to put service level agreements in place to ensure obligations are clearly documented, communicated and understood by the government bodies that are using their services or assets.

Statutory bodies and accountable officers that must have regard to the QGEA

This category includes accountable officers and statutory bodies under the Financial and Performance Management Standard 2019 (FPMS).

Under the FPMS, accountable officers and statutory bodies must have regard to the QGEA in relation to:

  • internal control structure (section s7(4))
  • financial information management systems (section 22(2)(c))
  • risk management (section 23(5)).

For full details, see the Financial and Performance Management Standard section on this page.

What does ‘must have regard to’ mean?

Section 5 of FPMS explains this to mean that the accountable officer or statutory body complies by:

  • considering the contents of the document (in this case, the QGEA)
  • deciding whether the contents apply in the circumstances
  • if the contents apply – applying the contents.

That is, ‘must have regard to’ means making a conscious and documented decision to follow or not to follow (and therefore not apply) the QGEA.

If you are considering making a conscious and documented decision not to follow the QGEA, we highly recommend you undertake a risk assessment before making your final decision.

Refer to the risk management practices already in use by your government body when undertaking the risk assessment and have the risk assessment signed off by your accountable officer. See ICT Risk management and the ICT Risk matrix for more.

Some QGEA policy documents have broader applicability because their mandate is also part of legislative or regulatory instrument that applies more broadly within the Queensland Government. This table lists policies that should be considered by all agencies and government bodies.

QGEA policy

Applicability

Records governance policy

Applies to all public authorities as defined under the Public Records Act 2002 (Qld).

Domain names policy

It applies to the whole of government, including all Queensland Government departments and agencies. This policy must also operate under policies that apply to relevant higher level domains (i.e. .gov.au, .com.au, .edu.au etc).

Statutory authorities and local government entities are eligible to register a .qld.gov.au domain name if they desire but are not required to do so. If they do wish to register a government domain, they are required to adhere to this policy.

Internet protocol (IP) version 4 addressing policy

This policy applies to:

  • all Queensland Government departments
  • any Government Owned Corporation or Statutory Authority connecting into the whole-of-government network.
Information security policy (IS18:2018)

For directed government bodies, reporting requirements relating to Information security policy requirements and responsibilities and the Information security incident reporting standard are as per the accountable officer's direction/mandate.

The Financial and Performance Management Standard 2019 (FPMS) provides a framework for the development and implementation of systems, practices and controls for the efficient, effective and economical, financial and performance management of a department or statutory body. Key themes throughout the standard are the importance of accountability, governance, and internal controls.

The QGEA provides a range of policies and best practice guidance that can assist government bodies to meet their obligations in the FPMS and should be considered.

The following table provides examples on how the QGEA can support relevant sections of the FPMS.

Relevant section QGEA examples
Section 7(4) - Internal controls
This section is concerned with ensuring the efficiency and effectiveness of government body operations, objectives and delivery of services; and ensuring the accuracy and reliability of financial and management information; and managing risk exposure

The QGEA can help with internal controls methods or procedures in the areas of:

  • digital and ICT planning and investment management, planning and analysis
  • information management and security management
  • project, program and portfolio management approaches
  • assurance that projects and programs will deliver.
Section 22(2)(c) – Financial information management systems
This section covers the management of financial information including recording, storing, keeping, retrieving, destroying and securing financial information.
The QGEA can help with the management and security of information, including information governance, asset management, custodianship and records governance.
Section 23(5) – Risk management
This section includes managing risk and risk mitigation to ensure the continued operation of the department and the delivery of services
The QGEA is a central repository of digital and ICT risk management information, including asset risks, project, program and portfolio risks, security risks, procurement risks just to name a few.

Accountable officer and statutory bodies

The FPMS also includes scenarios where accountable officers and statutory bodies must have regard to the QGEA. Refer to the Queensland Treasury’s Financial Accountability Handbook.

It’s important to consider that no government body can implement the QGEA in its entirety in a short time frame. We recommend your team undertakes assessment and planning as required.

Use the QGEA implementation prioritisation guideline and spreadsheet tool that uses attractiveness and achievability assessments to prioritise implementation of QGEA policies (and principles), with the aim of developing an implementation plan.

Learn about QGEA Document governance to help you understand QGEA document types and how to interpret them. We recommend that government bodies become familiar with all the mandatory elements of the QGEA, namely the QGEA Policies, standards and guidelines.

Use the table provided to understand what you and your organisation or entity must have regard to and must apply as part of your QGEA implementation.

QGEA applicability overview

✔ = must apply the QGEA

x = not required, except when mandated or directed through the body's accountable officer.

* = must have regard to

 PrinciplesPolicyGuidanceReportingExceptionConsultation Investment review
Queensland
Government Departments
*
Directed Government bodies*xx
Broader applicability (specific policies)*x
Accountable officers and statutory bodies under the FPMS***xxxx

Use the QGEA self-assessment workbook to assess your work area against all principles and policy requirements.

We also recommend you familiarise yourself with other QGEA functions, in particular:

Reporting

At this time reporting to the Queensland Government Customer and Digital Group (QGCDG) is not required from government bodies, only departments. If broader reporting is required, those obligations will be listed within each policy itself. See Reporting requirements for more details.

Reassessments

We recommend that government bodies who are applying the QGEA regularly reassess their implementation plan and its progress regularly to incorporate any changes in circumstance and the ever changing digital and ICT landscape.

If you need help getting started or have questions about applying the QGEA, contact us via email: qgea@qld.gov.au