By Jacky Zeng

The Information Privacy and Other Legislation Amendment Bill 2023 (the Bill) was introduced into Queensland Parliament on 12 October 2023.

The Bill has been referred to the Education, Employment and Training Committee for consideration.  IIS Partners will be submitting our thoughts on the Bill, with written submissions closing on 3 November 2023.

Key points up front

  • A proposed Bill amending Queensland’s privacy legislative framework in the Information Privacy Act 2009 (Qld) (IP Act) has been introduced into the Queensland Parliament.

  • The Bill would implement long awaited reforms to strengthen Queensland’s privacy legislative framework and require Queensland agencies to comply with additional privacy obligations.

  • Key amendments include introduction of a mandatory notification of data breaches scheme, a consolidated set of Queensland privacy principles (QPPs) and a revised definition of personal information to align with the definition in the Privacy Act 1988 (Cth) (Privacy Act).

Context of privacy law reform in Queensland

The Bill is the culmination of a long review process and recommendations for legislative changes from several reports and reviews. Recommendations for legislative reform can be first traced back to the Report on the Review of the Right to Information Act 2009 and Information Privacy Act 2009 (October 2017).

The Bill additionally addresses a number of recommendations from the Crime and Corruption Commission’s Operation Impala: Report on misuse of confidential information in the Queensland public sector (February 2020) which highlighted the serious impacts on individuals of public officers within government having unauthorised levels of access to systems and information (including personal information). Both the Operation Impala Report and the later Coaldrake Report into culture and accountability of the Queensland Government (June 2022) recommended that mandatory notification of data breaches be introduced as a requirement for Queensland government agencies.

The Queensland Government consulted the public on proposed reforms to Queensland’s Information Privacy and Right to Information frameworks, through release of the consultation paper Proposed changes to Queensland’s Information privacy and right to information framework in June 2022.

IIS notes that the timing of the Bill coincides with significant legislative reforms in privacy at the Commonwealth level. In September 2023, the Australian Government released the Government response to the Privacy Act Review. For a detailed discussion on this topic, see IIS’s first reaction and the interview given to SBS News by IIS Partner Nicole Stephensen.

Some key features of the Bill

Mandatory notification of data breaches

The Bill introduces a scheme that would make it mandatory to notify the Office of the Information Commissioner of Queensland (OIC) and affected individuals of ‘eligible’ data breaches (i.e., unauthorised access, disclosure or loss of personal information). The scheme would apply to Queensland agencies (i.e., those to which the IP Act applies) and largely mirrors the scheme in the Privacy Act.

QPPs

The Bill introduces a new unified set of QPPs which align closely with the Australian Privacy Principles (APPs) in the Privacy Act. This consolidates the IP Act’s existing two-pronged approach, where National Privacy Principles (NPPs) apply to Queensland Health agencies and the Information Privacy Principles (IPPs) apply to all other Queensland agencies, including local government, statutory bodies and public universities.

Definition of personal information

The Bill provides a revised definition of ‘personal information’ which is presently defined as ‘information or an opinion about an identifiable individual, or an individual who is reasonably identifiable from the information or opinion: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not’. The intention of the revision is to ensure alignment with the same definition in the Privacy Act.

IIS notes that the definition for ‘personal information’ in the Privacy Act has not yet been settled, which may – depending on outcomes of the Commonwealth privacy law reform process – necessitate an additional review and revision of the Queensland definition to ensure ongoing alignment.

Enhancing the powers of the Queensland OIC

The Bill provides for enhanced powers and functions for the OIC including:

  • A power to conduct own motion investigation of an act, failure to act or practice of an agency which may be in breach of the privacy principles or other obligations under the IP Act, and

  • Additional powers in relation to mandatory notification of data breaches, including a power of entry to an agency’s place of business (once notice procedures have been complied with) to observe its data handling practices and the power to direct an agency to give a statement and make recommendations, including a description of the data breach and steps an affected individual should take in response to the data breach.

Under the proposed changes Queensland agencies will be required to publish their data breach policy on their website and keep a register of eligible data breaches of the agency.

What’s next?

It is important for Queensland agencies to stay up to date with these proposed legislative reforms and ensure they follow them once adopted by the Queensland Government.

Some measures Queensland agencies can take now in preparation for these reforms:

  • Conduct a privacy maturity assessment and/or review specific information and privacy practices: Agencies should conduct a thorough review of their ability to comply with (current and) proposed privacy regulation in Queensland. Some relevant areas of information and privacy practice are: data collection, storage and sharing.

  • Implement privacy by design (PbD): PbD is a best practice approach that involves building privacy protections and safeguards into products and services from the outset, with a focus on prevention (rather than remediation). Agencies should consider implementing this approach to support compliance with the new regulations.

  • Establish and publish a data breach policy: The Bill will require agencies to prepare and publish a data breach policy on an accessible agency website. A data breach policy is a document that outlines how an agency will respond to a data breach, including a suspected eligible data breach. It may outline the responsibilities and procedures in place for the agency to investigate, assess, and notify the OIC and individuals (where required). Agencies should implement and regularly test their data breach policy to ensure they are able to meet proposed breach notification requirements, and effectively respond to data breach events.

  • Train employees on privacy best practices: Employees play a critical role in an agency’s privacy outcomes. Agencies should provide regular training to employees on privacy rules and best practices to ensure they are aware of their responsibilities and how to handle personal information.

  • Consult a privacy professional: Organisations can partner with a privacy professional to provide the above services leveraging years of expertise and relevant public sector experience. This is particularly helpful when privacy resources in the agency are stretched. Contact IIS to discuss how we can help you stay on top of these Queensland privacy reforms.