Government bodies can be categorised into 3 groups. The QGEA applies differently to each of these groups.
Queensland Government departments
QGEA principles, strategies and policies apply to departments under the Public Sector Act 2022 (Qld). Where other government bodies use a service, application or technology owned by a department, that body must also apply the relevant policies applicable for that asset.
Directed government bodies (e.g. statutory bodies)
Unless explicitly noted within a broadly applicable QGEA policy, the applicability of QGEA principles, strategies, policies and information standards are at the discretion of your Director-General (DG) or Minister.
To confirm QGEA applicability, you need to submit a formal enquiry to your DG or Minister. Should your DG or Minister determine the QGEA applies to you, contact the Queensland Government Customer and Digital Group at qgea@qld.gov.au, including your Director-General or Minister's response.
Government bodies using departmental owned services and assets
Generally, where other government bodies use a service, application or technology owned by a department, that government body must also apply the relevant policies applicable for that asset.
For example, a Statutory Body may be using a department’s payroll and timekeeping solution. The department may have decided to implement 2 factor authentication, and other security related processes to align with security best practice. The Statutory Body should also adhere to the practices and processes that the department has put in place to ensure the continued security of this asset.
Departments may choose to put service level agreements in place to ensure obligations are clearly documented, communicated and understood by the government bodies that are using their services or assets.
Statutory bodies and accountable officers that must have regard to the QGEA
This category includes accountable officers and statutory bodies under the Financial and Performance Management Standard 2019 (FPMS).
Under the FPMS, accountable officers and statutory bodies must have regard to the QGEA in relation to:
- internal control structure (section s7(4))
- financial information management systems (section 22(2)(c))
- risk management (section 23(5)).
For full details, see the Financial and Performance Management Standard section on this page.
What does ‘must have regard to’ mean?
Section 5 of FPMS explains this to mean that the accountable officer or statutory body complies by:
- considering the contents of the document (in this case, the QGEA)
- deciding whether the contents apply in the circumstances
- if the contents apply – applying the contents.
That is, ‘must have regard to’ means making a conscious and documented decision to follow or not to follow (and therefore not apply) the QGEA.
If you are considering making a conscious and documented decision not to follow the QGEA, we highly recommend you undertake a risk assessment before making your final decision.
Refer to the risk management practices already in use by your government body when undertaking the risk assessment and have the risk assessment signed off by your accountable officer. See ICT Risk management and the ICT Risk matrix for more.