By Susan Shanley and Jacky Zeng

Queensland government agencies will be subject to new Privacy Principles as state parliament passes privacy reform.

Key points up front

• The Information Privacy and Other Legislation Amendment Act 2023 was passed on 29 November 2023.

• The information privacy reforms include:

  • consolidation of the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) into a single set of privacy principles: Queensland Privacy Principles (QPPs),

  • introduction of a mandatory data breach notification (MDBN) scheme, and

  • enhanced powers for the Information Commissioner to respond to privacy breaches including an own-motion power to investigate an act or practice without receiving a complaint.

• The amendments commence on a day to be fixed by proclamation.

• It is currently expected the reforms to the Information Privacy Act 2009 (IP Act) including the new QPPs, will begin on 1 July 2025. This means all agencies, including local government, would transition to the new QPPs on 1 July 2025. The MDBN scheme will likewise commence for all agencies except local government at that time.

• A phased commencement of the MDBN scheme includes an additional 12-month delay for local government only to 1 July 2026.

Queensland Privacy Principles

The reforms to the IP Act include adopting a single set of privacy principles based on the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act) referred to as the QPPs, replacing the NPPs for health agencies and the IPPs for all other agencies.

The new Schedule 3 in the IP Act sets out the QPPs which generally align with the APPs in the Privacy Act. There are some adaptations for Queensland agencies. Furthermore, some APPs and specific APP provisions which are not relevant to the Queensland government context have not been adopted in the QPPs.

IIS has undertaken a detailed comparative analysis of the IPPs/NPPs and the new and/or changed requirements under the QPPs, including what steps agencies and contractors can take now to prepare for the changes when they commence.

A snapshot of IIS’s comparative analysis is provided by reference to five questions and answers on the QPPs:

Question 1:

If a bound contracted service provider has an existing contract with a Queensland agency, does the contractor need to comply with the new QPPs once they commence?

Answer 1:

No, the QPPs do not apply to existing contracts and will only apply to new contracts entered into after commencement, unless there is agreement to a variation. This means the IPPs or NPPs will continue to apply to existing contracts.

The QPPs do not extend to subcontractors. However, contracted service providers should take steps to ensure any subcontractors supporting them in relation to Queensland government contracts have sufficient ability to manage privacy obligations. 

While the QPPs will not apply to existing contracts, IIS strongly recommends all businesses contracted to, or intending to, provide services to Queensland government agencies start the process of familiarising themselves with the revised requirements under the QPPs. 

This is particularly important given small businesses are currently largely exempt from the operation of the Privacy Act and unlikely to be familiar with the APPs and, therefore, the QPPs – which are largely modelled on the APPs – may be a mystery to them. Small business (and other contractors) will need to update their existing privacy arrangements for any new contracts entered into after commencement. 

Unlike the Privacy Act, the QPPs of the IP Act will apply to all bound contracted service providers and there is no exemption for small business providers.

Question 2:

There doesn’t appear to be a QPP equivalent of APP 8 – cross-border disclosure of personal information. What requirements apply to agencies and bound contracted service providers disclosing personal information outside Australia?

Answer 2:

While the Privacy Act includes a privacy principle about cross-border disclosure of personal information (APP 8) there is no equivalent QPP.

Under the Privacy Act, APP 8 and section 16C generally require an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs and makes the APP entity accountable if the overseas recipient mishandles the information (see Chapter 8: APP 8 Cross-border disclosure of personal information).

Section 33 of the IP Act is retained as the preferred method for regulating overseas disclosures of personal information rather than adopting an equivalent QPP 8. The term ‘transfer’ has been replaced with ‘disclosure’ in section 33 of the IP Act.

This means agencies (and contracted services providers where relevant) will continue to comply with section 33 of the IP Act. 

There is a note at QPP 8 which states ‘there is no equivalent QPP for APP 8.’

Question 3:

There is no detail provided under QPP 7, QPP 8 and QPP 9. What does this mean? How does an agency comply with these QPPs?

Answer 3:

The QPPs generally align with the APPs in the Privacy Act, with some adaptations for Queensland agencies. Some APPs that apply to organisations, specific Commonwealth agencies and Commonwealth functions have not been adopted.

APPs 7, 8 and 9 have not been adopted in the QPPs as they are not relevant to the handling of information by Queensland public sector agencies. APP 7 regulates direct marketing, APP 8 regulates cross-border disclosure of personal information (see previous question and answer) and APP 9 regulates the adoption, use or disclosure of government related identifiers (for example, Medicare numbers and driver licence numbers).

This doesn’t mean that there are no requirements for Queensland agencies in those areas above. For example, the disclosure requirements in QPP 6 are applicable for the use of personal information in direct marketing, and as noted, section 33 of the IP Act provides provisions for cross-border disclosures.

Where an APP (or a provision of an APP) has not been adopted in the QPPs, the QPPs include a note referring to the relevant APP or provision. For example:

The Editors note to QPP 7 – direct marketing states:

The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle prohibiting direct marketing by certain private sector entities (see APP 7).

There is no equivalent QPP for APP 7.

Note—QPP 6 is relevant to the use or disclosure of personal information for the purpose of direct marketing.

Question 4:

What is a QPP code and how is this different to the QPPs? Do agencies bound by a QPP have to comply with it?

Answer 4:

A QPP code is a written code of practice about information privacy, approved by regulation, which states how one or more of the QPPs are to be applied or complied with by agencies that are bound by it. 

A QPP code may also impose additional requirements to those imposed by a QPP, to the extent that they are not inconsistent with a QPP. 

The purpose of the QPP code is to provide individuals with transparency about how their information will be handled. 

Once the amendments commence, agencies bound by a QPP code will be required to comply with the code and must not do an act or engage in a practice that contravenes a QPP code.

An example of a Code can be found under the Privacy Act. An APP Code is in force which sets out specific requirements and key practical steps Australian Government agencies must take as part of complying with APP 1.2. This includes requirements such as:

• having a privacy management plan,

• appointing a Privacy Officer, or Privacy Officers, and ensuring that particular Privacy Officer functions are undertaken,

• appointing a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information and ensure Privacy Champion functions are undertaken, and

• undertaking a written PIA for all ‘high privacy risk’ projects or initiatives involving new or changed ways of handling personal information.

Question 5:

Do the QPPs impose requirements on agencies to have a privacy policy?

Answer 5:

Yes, QPP 1.3 requires an agency to have a clearly expressed and up-to-date privacy policy about the management of personal information by the agency.

Other requirements placed on agencies under QPP 1 regarding privacy policies include:

• ensuring the privacy policy contains the required information, and

• taking reasonable steps to make its privacy policy available to the public free of charge and in an appropriate form. For example, an agency may do this by publishing its privacy policy on the agency’s website. 

IIS strongly recommends all agencies have a clearly expressed and up-to-date privacy policy in the interest of best privacy practice and openness and transparency about the handling of personal information.

Need assistance?

The above snapshot represents only a small sample of the changes Queensland agencies (and the businesses that support them) will need to make to ensure they are compliant with the QPPs once they commence.

It is important to be ready for the coming changes! As a leading Australian privacy consultancy, and a trusted service provider to the Queensland government, IIS can help. We can assist with your readiness assessment and we offer comprehensive privacy training, governance support, MDBN scheme preparedness and many other services to support your agency in addressing these important reforms.

Please contact IIS to find out more.